Recently, in September 2017, the Spanish data protection authority (AEPD) fined Facebook 1,2 million euros, claiming that the social network had been breaking privacy rules on multiple counts over the way it uses people’s data for advertising purposes.
More specifically, AEPD notes that the social network collects, stores and uses data, including specially protected data, for advertising purposes without obtaining consent. The consent is not unambiguous, specific and informed from users to process their data, as demanded, since the information provided is not adequate.
Furthermore, even specially protected data, such as ideology, sex, religion, personal preferences and browsing activity, are being collected directly, through interaction with their services or from third party pages, without clearly informing the user about how and for what purpose they are going to be used. More precisely, Facebook does not inform users in an exhaustive and clear way about the data that will collect and the processing operations that will be carried out, and instead offers only some examples. In particular, it collects other data delivered from interactions of users on the platform and on third-party sites without them being able to clearly perceive the information that Facebook collects about them or for what purpose they will use it.
In addition, users are not informed that their data will be processed through the use of cookies even when browsing non-Facebook pages containing the “Like” button, which means that this is taking place even for non- members of the social network and without their log-in to Facebook.
AEPD has also claimed that Facebook’s privacy policy contains generic and unclear terms and obliges users to access too many different links to get to know it.
Last but not least, personal data are not totally canceled when they are no longer useful for the purpose for which they were collected, nor when the user explicitly requests their removal. Facebook does not delete the information that it collects from the browsing habits of users, but retains and reuses it later associated to the same user. It was also verified that when users delete their account and ask Facebook to delete their information, it captures and process the information for more than 17 months through a deleted account cookie.
After Facebook’s notice on global revision of its data policy, cookie policy and terms in 2014, AEPD (Spain) has developed its respective investigation procedures in coordination with other Data Protection Authorities of the European Union, in particular those of France, Hamburg (Germany), Belgium and the Netherlands, that form a group, named “Contact Group”, in order to investigate the information provided to users, the validity of consent and the processing of personal data for advertising purposes.
The rest of the Authorities- Members of the Contact Group have also fined or warned Facebook because of its policy and use of data. The social network was fined 150.000 euros by CNIL, the French data watchdog, for failing to prevent its users’ data being accessed by advertisers. CNIL found that the Facebook group does not have a legal basis to combine of all the information it has on account holders to display targeted advertising and also engages in unlawful tracking, via the datr cookie, of internet users. The cookie banner and the mention of information collected “on and outside Facebook” do not allow users to clearly understand that their personal data are systematically collected as soon as they navigate on a third- party website that includes a social plug in.
Furthermore, a Court in Belgium has ordered Facebook to stop tracking Internet users who are not registered with the social network, since it collects data of non-users who come into contact with this service by looking at public profiles or clicking the “Like” button. It has ruled that Facebook cannot follow people on the Internet who are not members of Facebook; since they are not members, they can never have given permission to follow them.
Germany’s Competition Authority, the Bundeskartellamt, also released the preliminary finding of an investigation into Facebook’s data tracking practices. The probe found that Facebook illegally tracks users across the Internet by requiring anyone who wishes to create a profile to allow the social media platform to “limitlessly amass every kind of data generated by using third- party websites”, including Instagram, WhatsApp and any website featuring a “like button”. However, a final decision on the case would not come before summer of 2018.
In the Netherlands, the Dutch DPA concluded that Facebook Group breaches Dutch Data Protection Law by giving users insufficient information about the use of their personal data and also by using sensitive personal data from users without their explicit consent, for example data relating to sexual preferences in order to show targeted advertisements.
There is no doubt that the possibility of building a profile of users is a privacy threat, especially when tracking is done across multiple domains using third party cookies, that is why there has to be adequate legislation and protection of the subjects. In particular, concerning EU, the article 29 Working Party has already adopted new guidelines covering profiling and automated decision-making under the forthcoming GDPR, while warning that profiling and automated decision-making technologies can pose “significant risks for individuals’ rights and freedoms” and can “perpetuate existing stereotypes and social segregation” absent appropriate safeguards. It remains to be seen whether Facebook and all social networks will satisfy the conditions of this legislation in the near future in the fear of the even larger fines of the GDPR.
Edited by Youli Siamandoura