The case was brought about by a longstanding Facebook nemesis, the Federation of German Consumer Organisations, Verbraucherzentrale Bundesverband, or VZBV.
Over the years, the VZBV has targeted Facebook's Friend Finder tool and its deployment of users' photos in ads, and its data-sharing between WhatsApp and the parent social network.
This time round, the Berlin regional court agreed with the VZBV that Facebook is breaking German data-protection law by collecting users' data without giving them the information they need to make informed choices.
The court said Facebook's default settings break the law: its mobile app automatically has users sharing their location, and users' profiles are by default findable through search engines.
The judges also agreed that eight of the clauses in Facebook's terms and conditions don't meet the legal standards needed to get users' effective consent, because they are too broadly phrased.
These clauses include pre-formulated statements about Facebook getting the right to use people's names and profile pictures in ads, and to forward their data to the U.S.
The same went for Facebook's clause obliging people to use their real names. However, although the judges ruled the clause inadmissible, they said it remained unclear whether it is acceptable for Facebook to have a real-names policy as such.
The VZBV is adamant that this practice is not legal. "Providers of online services must allow users to use their services anonymously, for example, by using a pseudonym," said VZBV litigation policy officer Heiko Dünkel, pointing to the German Telemedia Act.
So it isn't just Facebook that's appealing to the Berlin Court of Appeal. The VZBV said it will also do so regarding the points on which it lost.
The court actually delivered its judgement in mid-January, but the ruling was only published on Monday. "We are reviewing this recent decision carefully and are pleased that the court agreed with us on a number of issues," a Facebook spokesperson said.
The spokesperson noted that Facebook has changed its policies since the case began in 2015, and will soon change them again.
The General Data Protection Regulation (GDPR) will come into force in May, introducing much tighter privacy rules across the European Union, and companies such as Facebook will need to change the way they treat personal data to comply with the law.
Facebook chief operating officer Sheryl Sandberg last month said the company would roll out a "new privacy center" available worldwide, in response to the GDPR's demands.
However, while she argued that Facebook's apps "have long been focused on giving people transparency and control", she did not specify in which ways the social network would step this up.