Leaked Facebook ads document raises fresh questions over GDPR enforcement

Motherboard/Vice had an explosive report on Facebook’s business yesterday that’s sure to raise fresh questions over the lack of enforcement of European privacy laws against the adtech giant.

The report is based on a leaked internal document written last year by privacy engineers on its Ad and Business product team.

The document, which is entitled “ABP Privacy Infra, Long Range Investments [A/C Priv],” appears to show engineers at the tech giant now known as Meta scratching their heads at the nightmarish task they’re facing: Trying to make Facebook’s data-ingesting ads business compliant with a “tsunami” of global privacy regulations that need it to know how user data flows through its systems so the company can apply policies that control what’s done with people’s information and perform basic stuff like reflect people’s privacy choices. So next time Sheryl Sandberg talks about Meta’s “regulatory headwinds” this is the contextual meat to graft on those euphemistic bones.

Meta’s text deploys some internal business shorthand/acronyms whose literal meanings aren’t always clear. But the gist of the read — and it’s worth reading in full if you can spare the time for 15-pages of text, diagrams and a few colorful analogies such as one comparing a person’s information to a bottle of ink being poured into a giant lake (oopsy!) — is that Meta has ‘designed’ its ad system in such a totally unsiloed way that it’s very, very, very far from being able to comply with (even existing) laws like Europe’s General Data Protection Regulation (GDPR) which has a purpose limitation principle meaning you need a legal basis for each use of personal data. Nor, per the document, do Meta’s engineers sound confident of being able to transform the mess and achieve timely compliance with a bunch of other, incoming global regulations either. (And don’t even get them started on what AI regulations might mean for the business.)

Meta disputes that the document shows non-compliance with any privacy laws, of course.

In a statement to Motherboard, the company claims the document “does not describe our extensive processes and controls to comply with privacy regulations”; adding therefore that “it’s simply inaccurate to conclude that it demonstrates non-compliance”; and further claiming: “New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.” 

But, well, they would say that, wouldn’t they? 

Independent privacy researcher, Wolfie Christl — an expert in forensic analysis of ad data flows — takes a different view of what the leaked document reveals — dubbing it “dynamite” and a “confession” (albeit one not intended by Meta for public consumption) that it does not comply with the GDPR. See his detailed Twitter thread here — where he unpacks and contextualizes the implications of the engineers’ observations, as he sees it.

“The document is a straight and clear confession that Facebook’s whole business is based on a massive GDPR violation at the most fundamental level,” Christl tells TechCrunch. “Purpose limitation is one of the most basic principles in the GDPR. A company can generally only collect personal data for a specified purpose. If a company cannot specify the purpose it collects personal data for, it is simply not allowed to process it under the GDPR.”

Asked what Meta’s lead data protection regulator in the EU should do, Christl adds: “The Irish regulator must take action now. If Facebook cannot make clear how exactly its surveillance advertising machine uses personal data, it must be ordered to stop processing it.”

TechCrunch contacted the Irish Data Protection Commission (DPC) to ask whether it will be opening an investigation into Meta’s ad data flows in light of what the document appears to show is, basically, an ads system that, either by design or systemic build creep, exists (or existed in 2021) in a state that’s antithetical to regulation — and, indeed, whether the document is of relevance to any of the (several) ongoing investigations it has into aspects of Facebook’s business.

The regulator did not provide a statement but deputy commissioner Graham Doyle confirmed it had only seen the document for the first time when Motherboard/Vice published it.

That may raise further questions, given the DPC has — on paper — been investigating whether Facebook’s ads business complies with the GDPR’s requirement to have a valid legal basis for processing people’s data for almost four years now.

For example, the DPC has been considering a complaint against Facebook, focused on its legal basis for processing user data for ads, since May 2018, when the regulation entered into force.

A draft DPC decision on that inquiry, which was published (not by the DPC) last fall, was quickly branded a joke by privacy campaigners as the regulator appeared to be intending to accept a tactic by Meta to evade the GDPR’s standard for consent-based processing by claiming a cunning contractual bypass.

The tl;dr here is that for consent to be valid under the GDPR, data subjects must be given a free choice. Consent must also be purpose specific (aka no bundling); and it must be informed.

None of which happens if you use Facebook — where the platform makes processing your information for ad targeting a condition of use. Click ‘agree to ads’ or no Facebook account for you.

But, per last year’s leaked draft DPC decision, Facebook claims users are actually in a contract with it to receive targeted ads — and the DPC didn’t appear to see reason to object to that GDPR-bypassing construction.

Given GDPR complaints are still floundering on such legal basics, is it any wonder that the deep, dark, underbelly of Meta’s ad-targeting machinery contains, as this document tells it, a vast ocean of surveillance data on web users but so little apparatus to order this information according to people’s own wishes?

The bottom line is that the EU is almost four years into enforcement of its ‘flagship’ data protection regime and Facebook itself remains untouched by GDPR enforcement. (Its messaging platform WhatsApp was hit by a fine last year.)

The European Union also didn’t suddenly invent privacy regulation in 2018, when the GDPR came into force. Before that law there was the Data Protection Directive, which included many of the same principles.

So — in Europe at least — if a company like Facebook had actually been paying attention to legal requirements around privacy by design — and if EU regulators had been muscularly enforcing these long-standing rules — Meta might not now be warning investors about the ‘regulatory headwinds’ coming for their shareholder value. Nor facing what sounds to be a monumentally expensive and resource intensive re-engineering challenge — not so much akin to landing on the moon as more like needing to reconstruct the whole of the planet from pulverized moondust in a way that ensures every tiny piece of rock and dust is put back in exactly the place it originated for. Oh, and — guess what! — the deadline for doing all that already passed. Call it the ‘Zuckerberg’s moonshot.’

A Meta spokesperson did not respond to a question asking whether, following the Motherboard report, it had contacted the DPC to provide its lead EU regulator with information on how its ads system functions.

The company sent us the same statement it provided Motherboard earlier, which concludes with this lament: “This analogy lacks the context that we do, in fact, have extensive processes and controls to manage data and comply with privacy regulations.”

The European Commission is ultimately responsible for monitoring the application of the GDPR by EU Member State agencies.

We asked the Commission if it had any concerns in light of the leaked document and/or a view on whether the DPC should open an investigation into Meta’s ads data flows. But at the time of writing it had not responded.

In February, following a complaint against the Commission by the Irish Council for Civil Liberties — which accuses the EU’s executive of neglecting its duty to act on Ireland’s “failure to properly apply” the GDPR — the EU’s ombudsperson opened an inquiry — giving the Commission until May 15 to provide it with a “detailed and comprehensive” account of the information it has collected so far around whether the regulation is applied “in all respects” in Ireland.