Consequences of Simplified Registration Processes on International Online Platforms
With its decision of June 6, 2025 (Case No.: II 15 O 472/22), the Berlin Regional Court adopted a remarkable position regarding the data protection-compliant design of digital registration processes. The proceedings focused on the practice of Google Ireland Limited concerning the provision of information when opening user accounts and the resulting data protection implications, particularly under the requirements of the General Data Protection Regulation (GDPR).
Background and Procedural Context
The judicial proceedings were based on a lawsuit filed by a German consumer protection association, which essentially challenged the design of the registration process for Google accounts. Specifically, it was criticized that Google only made the required data protection notices accessible via a link as part of registration, and the information was provided in a subsequent step. From the plaintiff’s perspective, this was incompatible with the normative requirements of the GDPR, which demands direct, easily accessible information at the point of data collection. Google, on the other hand, argued that a simplified design of the registration process intended to improve user-friendliness would also be permissible from a data protection perspective.
Relevant Legal Requirements under the GDPR
Collection of Personal Data and Information Obligations
According to Art. 13 GDPR, controllers are required to inform data subjects about the essential aspects of data processing at the time their personal data is collected. This includes, in particular, details about the identity of the controller, the purposes of processing and the legal basis, storage duration, potential recipients, as well as the rights of data subjects. The information must be provided “in a precise, transparent, intelligible, and easily accessible form.”
Significance of Accessibility and Transparency
The court made it clear that it is not sufficient to provide extensive data protection information only via a link or by making it available in a subordinate manner. What matters is that users can access all relevant data protection information during the registration process without detours. The mere possibility of obtaining details about data processing after completing registration does not, in the court’s opinion, satisfy the requirements of Art. 13 GDPR.
Assessment and Implications of the Ruling
Consideration of User Friendliness and Data Protection
The Regional Court acknowledged the efforts to create user-friendly digital processes, but set data protection limits to the so-called user-friendliness. Excessive simplification cannot be at the expense of transparency. Mere optimization of the user experience must not result in essential information being relegated to the background or becoming practically harder to access.
Relevance for International Platform Operators
The decision is significant beyond the individual case. It emphasizes that international providers must equally take into account technological progress and regulatory requirements. Especially platforms operating with a high degree of standardization are required to design their processes so that the extensive requirements of the GDPR are effectively implemented. This applies particularly to the initial contact with users, where the flow of information must not be hindered by technical or design barriers.
Practical Implications for Companies
Adjustment of Registration-Based Business Models
Companies that base their services on a registration requirement should thoroughly review their registration procedures. According to current case law, it is essential to provide the entire scope of necessary data protection information directly, transparently, and comprehensively at the point of data collection. Subsequent provision of information or mere availability via links will, as a rule, not suffice depending on the circumstances of the individual case.
Legal Consequences of Ongoing Violations
Should violations of data protection information obligations be identified, possible supervisory sanctions may be imposed, and cease-and-desist claims are also conceivable. The decision of the Berlin Regional Court demonstrates that the courts are prepared to rigorously enforce the requirements of the GDPR and thereby strengthen user rights. It remains to be seen whether this case law will be modified or confirmed on appeal or in further proceedings. The presumption of innocence for other parties involved must be observed; the proceedings are therefore not necessarily conclusively assessed.
Classification of the Decision and Scope for Action
The significance of the ruling shows that data protection in digital registration processes must not be viewed as an isolated compliance requirement, but as an integral part of corporate processes. The interface between technological procedures and regulatory requirements is becoming increasingly important, especially for internationally active companies.
In conclusion, it should be noted that both current and future registration processes require precise legal compliance in their design. For questions on data protection requirements for digital registration procedures or the implementation of court decisions, the Rechtsanwalt at MTR Legal is at your disposal.
