European privacy regulators have again criticized Facebook’s privacy policy and reiterated that it violates EU law. That’s according to The Guardian, which summarizes the revised findings of a report originally commissioned by the Belgian data protection authority.
The cited report (embedded below) is an updated version of an earlier document issued in February of this year.
The report was generated by researchers at the University of Leuven and Vrije Universiteit in Belgium. The earlier version of the report found that Facebook’s privacy policy violated European data-protection laws in a variety of ways. The thrust of the updated findings is that Facebook tracks users and their online behavior without proper disclosures or consent.
According to The Guardian’s summary of EU privacy and consent rules, “EU privacy law states that prior consent must be given before issuing a cookie or performing tracking, unless it is necessary for either the networking required to connect to the service (‘criterion A’) or to deliver a service specifically requested by the user (‘criterion B’).”
Below is an edited, partial overview of complaints to Facebook’s policies raised in the report:
Consent: Given the limited information Facebook provides and the absence of meaningful choice with regard to certain processing operations, it is highly questionable whether Facebook’s current approach satisfies [EU consent] requirements. Privacy: [Facebook’s] current default settings with regards to behavioural profiling and advertising (essentially “opt-out”) remain problematic. According to the Article 29 Working Part, consent cannot be inferred from the data subject’s inaction with regard to behavioural marketing. As a result, Facebook’s opt-out system for advertising does not meet the requirements for legally valid consent. In addition, opt-outs for “Sponsored Stories” or collection of location data are simply not provided. Unfair contract terms: In comparison to 2013, Facebook’s new Statement of Rights and Responsibilities (SRR) has not changed substantially. However, our analysis shows that there are several clauses which violate European consumer protection law. Specifically, Facebook’s SRR contains a number of provisions which do not comply with the Unfair Contract Terms Directive. Data usage: Facebook combines data from an increasingly wide variety of sources (e.g., Instagram, Whatsapp and data brokers). By combining information from these sources, Facebook gains a deeper and more detailed profile of its users. Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes. The current practice does not meet the requirements for legally valid consent. Tracking: Facebook monitors its users in a variety of ways, both off and on Facebook. While Facebook provides users with high-level information about its tracking practices, we argue that the collection or use of device information envisaged by the 2015 DUP does not comply with the requirements of article 5(3) of the e-Privacy Directive, which requires free and informed prior consent before storing or accessing information on an individual’s device. Facebook also tracks non-users in a manner which violates article 5(3) of the e-Privacy Directive.
Accordingly the bulk of the objections can be boiled down to two or three categories:
Disclosures
Opt-in vs. op-out
User knowledge and consent to Facebook’s practices
In February when the preliminary report was made public Facebook said the following about being in compliance with European privacy laws:
We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising, . . . We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates including this one with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.
Notwithstanding its claim to comply with EU privacy rules, Facebook will ultimately be compelled to make changes to its privacy policy and practices. The negotiation will be around how prominently and what specific practices Facebook needs to disclose to users. The company will also seek to preserve as much of its “opt-out” regime as possible as the EU tries to move more data collection, tracking and profiling into the opt-in column.
Comments