European Report: Facebook’s Privacy Terms, Practices Violate EU Regulations

A new report (and below) issued under the authority of the Belgian Privacy Commission concludes that Facebook’s updated privacy policy violates European data protection laws. The news was initially reported by The Guardian.

The report’s authors cited multiple privacy concerns and issued the following statement summarizing their conclusions:

First, Facebook places too much burden on its users. Users are expected to navigate Facebook’s complex web of settings (which include “Privacy”, “Apps”, “Adds”, “Followers”, etc.) in search of possible opt-outs. Facebook’s default settings related to behavioural profiling or Social Ads, for example, are particularly problematic. Moreover, users are offered no choice whatsoever with regard to their appearance in “Sponsored Stories” or the sharing of location data. Second, users do not receive adequate information. For instance, it isn’t always clear what is meant by the use of images “for advertising purposes”. Will profile pictures only be used for “Sponsored Stories” and “Social Adverts”, or will it go beyond that? Who are the “third party companies”, “service providers” and “other partners” mentioned in Facebook’s data use policy? What are the precise implications of Facebooks’ extensive data gathering through third-party websites, mobile applications, as well recently acquired companies such as WhatsApp and Instagram?

Here’s a brief summary of a few of the report’s verbatim conclusions:

Consent: To be valid, consent must be “freely given”, “specific”, “informed” and “unambiguous”. Given the limited information Facebook provides and the absence of meaningful choice with regard to certain processing operations, it is highly questionable whether Facebook’s current approach satisfies these requirements.

Privacy: According to the Article 29 Working Part, consent cannot be inferred from the data subject’s inaction with regard to behavioural marketing. As a result, Facebook’s opt-out system for advertising does not meet the requirements for legally valid consent. In addition, opt-outs for “Sponsored Stories” or collection of location data are simply not provided.

Contract terms: Our analysis shows that there are several clauses which violate European consumer protection law. Specifically, Facebook’s SRR contains a number of provisions which do not comply with the Unfair Contract Terms Directive.

Data usage/sharing: Facebook combines data from an increasingly wide variety of sources (e.g., Instagram, Whatsapp and data brokers). By combining information from these sources, Facebook gains a deeper and more detailed profile of its users. Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes. The current practice does not meet the requirements for legally valid consent.

Use of user-generated content: Facebook’s terms allow the company to use user-generated content (e.g. photos) for commercial purposes (e.g., Sponsored Stories, Social Ads). While the revised terms communicate this practice in a more transparent way, Facebook fails to offer adequate control mechanisms.

Location: The only way to stop the Facebook mobile app from accessing location data on one’s smart phone is to do so at the level of the mobile operating system. Facebook should implement a granular location-data settings, with all parameters turned off by default. These settings should allow users to determine when and how location data can be used by Facebook and to what purpose.

Tracking: Facebook monitors its users in a variety of ways, both off and on Facebook. While Facebook provides users with high-level information about its tracking practices, we argue that the collection or use of device information envisaged by the 2015 DUP does not comply with the requirements of article 5(3) of the e-Privacy Directive . . .

Several EU member countries are currently investigating Facebook’s data collection and privacy policies. In response to the report, Facebook issued a statement to The Guardian saying that it was confident that it was in compliance with European privacy laws:

We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising, . . . We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates including this one­ with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.

Similar statements about compliance with EU privacy law by Google did nothing to stop European regulators from investigating and fining Google for similar privacy issues. Accordingly, we can probably expect this will be the beginning of a negotiation with Facebook to get the company to alter its disclosures and data collection practices. Ultimately Facebook will probably be compelled to change the way it communicates about privacy, obtains consent and uses data from European residents.