Facebook’s Data Protection Practices Under Fresh Fire In Europe

Facebook is facing fresh criticism in Europe over data protection and the myriad smoke-and-mirrors methods it uses to obfuscate its gathering and processing of user data.

A report commissioned by Belgium’s data protection authority has found Facebook’s revised privacy policy, last updated in January, violates European consumer protection law in a number of ways.

The detailed 61-page report, written by academics at the Universities of Leuven and Brussels and entitled From social media service to advertising network, highlights what the authors judge to be a raft of violations of current European law.

Among the practices being criticized are:

  • Facebook’s failure to secure valid consent from users to its processing of their data — based on offering “limited information” and “the absence of meaningful choice”
  • its “problematic” opt-outs for behavioral marketing
  • unfair contract terms in its Statement of Rights and Responsibilities — persisting, according to the authors, since 2013
  • no “legally valid consent” for detailed user profiling obtained by Facebook combining and sharing data between its own services (such as Whatsapp and Instagram) and third party data brokers
  • a lack of “adequate control mechanisms” and transparency where Facebook uses user-generated content in commercial purposes (such as Sponsored Stories, Social Ads)
  • no opt-out for location-tracking of users by the Facebook mobile app (“The only way to stop the Facebook mobile app from accessing location data on one’s smart phone is to do so at the level of the mobile operating system”)
  • a lack of “free and informed prior consent” for the collection and use of device information
  • a failure to properly acknowledge the data subject rights of its users

The report notes that Facebook’s data processing capabilities have “increased both
horizontally and vertically” — via increasingly detailed data mining of activity on Facebook’s own platform, and outside as Zuck & co gather user data from “acquired companies, partnering platforms and websites or mobile applications that rely on Facebook (or one of its companies) for advertising or other services”.

In a general assessment of the revised terms, the report authors say that while Facebook’s new privacy policy ups the prominence of its data use practices the company is still communicating “on a general and abstract level” — with “hypothetical and vague language” obfuscating its data-related activities, and with only “limited choice” offered to users about how their data is processed:

Overall, Facebook’s revised DUP [data use policy] signals the company’s data use practices in a more prominent way. In this regard, Facebook seems to have taken an important step forward. However, the uses of data are still only communicated on a general and abstract level. Much of the DUP consists of hypothetical and vague language rather than clear statements regarding the actual use of data. Moreover, the choices Facebook offers to its users are limited. For many data uses, the only choice for users is to simply “take-it-or-leave-it”. If they do not accept, they can no longer use Facebook and may miss out on content exclusively shared on this platform. In other words, Facebook leverages its dominant position on the OSN market to legitimise the tracking of individuals’ behaviour across services and devices.

The re-use of user content for targeting and advertising purposes is deeply embedded in Facebook’s practices. It is impossible to add any information that may not later be re-used for targeting, and any “like” may become a trigger to portray a user in a “Sponsored Story” or Social Ad. From the latter one can opt-out, but the only way to stop appearing in Sponsored Stories, is by stopping to “like” content altogether. Users are even more disempowered because they are unaware about how exactly their data is used for advertising purposes. Furthermore, they are left in the dark about their appearance in promotional content. Facebook should not only provide users with more options to control how their data is gathered, but also show users how their name and picture is used in specific instances.

Facebook’s European HQ is in Ireland, so it’s regulated by the Irish Data Protection Commissioner. The Irish DPC has previously audited Facebook’s practices back in 2011 and 2012 — and at the latter time declared itself generally satisfied that Facebook had implemented recommendations (such as turning off a facial recognition tagging feature in Europe) to comply with regional data protection requirements.

In a statement responding to the Belgian DPA report, a Facebook spokesman said the company is “confident” its updated terms and policies “comply with applicable laws”:

We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising. We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates ­ including this one ­ with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.

The European Union is in the process of reforming and harmonizing its data protection directive, which dates back to 1995.

New rules, with more stringent penalties for non-compliance, are expected to be agreed later this year by the European Parliament.