Facebook has been left red-faced after being forced to call off the launch date of its dating service in Europe because it failed to give its lead EU data regulator enough advanced warning — including failing to demonstrate it had performed a legally required assessment of privacy risks.
Yesterday, Ireland’s Independent.ie newspaper reported that the Irish Data Protection Commission (DPC) — using inspection and document seizure powers set out in Section 130 of the country’s Data Protection Act — had sent agents to Facebook’s Dublin office seeking documentation that Facebook had failed to provide.
In a statement on its website, the DPC said Facebook first contacted it about the rollout of the dating feature in the EU on February 3.
“We were very concerned that this was the first that we’d heard from Facebook Ireland about this new feature, considering that it was their intention to roll it out tomorrow, 13 February,” the regulator writes. “Our concerns were further compounded by the fact that no information/documentation was provided to us on 3 February in relation to the Data Protection Impact Assessment [DPIA] or the decision-making processes that were undertaken by Facebook Ireland.”
Facebook announced its plan to get into the dating game all the way back in May 2018, trailing its Tinder-encroaching idea to bake a dating feature for non-friends into its social network at its F8 developer conference.
It went on to test launch the product in Colombia a few months later. Since then, it’s been gradually adding more countries in South American and Asia. It also launched in the U.S. last fall after it was fined $5BN by the FTC for historical privacy lapses.
At the time of its U.S. launch, Facebook said dating would arrive in Europe by early 2020. It just didn’t think to keep its lead EU privacy regulator in the loop, despite the DPC having multiple (ongoing) investigations into other Facebook-owned products at this stage.
It’s either an extremely careless oversight or, well, an intentional fuck you to privacy oversight of its data-mining activities. (Among multiple probes being carried out under Europe’s General Data Protection Regulation, the DPC is looking into Facebook’s claimed legal basis for processing people’s data under the Facebook T&Cs, for example.)
The DPC’s statement confirms that its agents visited Facebook’s Dublin office on February 10 to carry out an inspection — in order to “expedite the procurement of the relevant documentation”. Which is a nice way of the DPC saying Facebook spent a whole week still not sending it the required information.
“Facebook Ireland informed us last night that they have postponed the roll-out of this feature,” the DPC’s statement goes on. Which is a nice way of saying Facebook fucked up and is being made to put a product rollout it’s been planning for at least half a year on ice.
The DPC’s head of communications, Graham Doyle, confirmed the enforcement action, telling us: “We’re currently reviewing all the documentation that we gathered as part of the inspection on Monday and we have posed further questions to Facebook and are awaiting the reply.”
“Contained in the documentation we gathered on Monday was a DPIA,” he added.
This begs the question why Facebook didn’t send the DPIA to the DPC on February 3. We’ve reached out to Facebook for comment and to ask when it carried out the DPIA.
Update: A Facebook spokesperson has now sent this statement:
It’s really important that we get the launch of Facebook Dating right so we are taking a bit more time to make sure the product is ready for the European market. We worked carefully to create strong privacy safeguards, and complete the data processing impact assessment ahead of the proposed launch in Europe, which we shared with the IDPC when it was requested.
We’ve asked the company why, if it’s “really important” to get the launch “right,” it did not provide the DPC with the required documentation in advance instead of the regulator having to send agents to Facebook’s offices to get it themselves. We’ll update this report with any response.
Update: A Facebook spokesman has now provided us with a second statement — in which it writes:
We’re under no legal obligation to notify the IDPC of product launches. However, as a courtesy to the Office of the Data Protection Commission, who is our lead regulator for data protection in Europe, we proactively informed them of this proposed launch two weeks in advance. We had completed the data processing impact assessment well in advance of the European launch, which we shared with the IDPC when they asked for it.
Under Europe’s GDPR, there’s a requirement for data controllers to bake privacy by design and default into products which are handling people’s information. (And a dating product clearly would be.)
While conducting a DPIA — which is a process whereby planned processing of personal data is assessed to consider the impact on the rights and freedoms of individuals — is a requirement under the GDPR when, for example, individual profiling is taking place or there’s processing of sensitive data on a large scale.
And again, the launch of a dating product on a platform such as Facebook which has hundreds of millions of regional users would be a clear-cut case for such an assessment to be carried out ahead of any launch.
In later comments to TechCrunch today, the DPC reiterated that it’s still waiting for Facebook to respond to follow-up questions it put to the company after its officers had obtained documentation related to Facebook Dating during the office inspection.
The regulator could ask Facebook to make changes to how the product functions in Europe if it’s not satisfied it complies with EU laws. So a delay to the launch may mean many things.
“We’re still examining the documentation that we have,” Doyle told us. “We’re still awaiting answers to the queries that we posed to Facebook on Tuesday [February 11]. We haven’t had any response back from them and it would be our expectation that the feature won’t be rolled out in advance of us completing our analysis.”
Asked how long the process might take, he said: “We don’t control this time process but a lot of it is dependent on how quickly we get responses to the queries that we’ve posed and how much those responses deal with the queries that we’ve raised — whether we have to go back to them again etc. So it’s just not possible to say at this stage.”
This report was updated with additional comment from Facebook and the DPC