Facebooks and its Privacy problems

In 2015, the Commission for the Protection of Privacy (CPP) took Facebook to the Belgian court for breaching EU law tracking all visitors without their explicit consent. The court ordered Facebook to stop tracking non-members at the end of 2015, but the company challenged the Belgian´s court jurisprudiction over the matter, alleging its European headquarters were in Dublin. They won the appeal, but it has now been overturned.

The Belgian court resolved on February 16th that Facebook had broken privacy laws by tracking people on third-party sites. The network has therefore been ordered to delete all data it had collected illegally on Belgian citizens (including non-Facebook-users) by placing cookies and invisible pixels on third party web sites. They have also been accused of not obtaining the user´s explicit consent to collect and store all this information. For example, in their app for smartphones, a location service was pre-activated that reveals a user’s location to people they are chatting to; in the privacy settings, pre-ticked boxes allowed search engines to link to the user’s personal profiles, meaning that anyone could easily access them. Finally, they are also facing accusations regarding insufficiently informing their users about the kind of data they collect, for which purposes it is used and how long it is stored.

The company says that it requires any business using their technologies to provide clear notice to end-users, and that Facebook gives people the right to opt-out of having data collected on sites and apps off Facebook being used for ads. They intend to appeal the ruling, alleging that these technologies not only follow industry standards, but also help businesses reach customers and blossom.

Facebook has also been confronted with similar issues in other countries, and recently in Spain. The Agencia Española de Protección de Datos (AEPD) is part of the Contact Group constituted by several European Protection Authorities, namely the Belgian, the French, the German and the Dutch to sanction Facebook for privacy infringements. In September 2017, the AEPD imposed a fine of €1,200,000 on Facebook because it uses data for advertising purposes, among other uses, specially protected data such as ideology, sex or religious beliefs, without express authorization of the user. Facebook collects data derived from users browsing the platform and third-party sites, even without having an active session.

The network was accused of gathering, storing and using both user and non-user information without their clear and unequivocal consent. They don´t even inform the users that the information is being used (they just give examples), not to mention the purpose for which it is being used, and treat specially protected data for publicity purposes, amongst other, which is a major infraction according to the LOPD (Ley Orgánica de Protección de Datos).

“A data breach and a subsequent data disclosure could threaten the rights and freedoms of the individuals, or cause their discrimination”

The huge problem with infringing data protection

Moreover, Facebook also infringes the data protection by default provision (which follows the data minimization principle), for personal data is stored even if the purpose for which it was collected was fulfilled, and the right to erasure, keeping the data stored during more than 17 months following the user´s erasure request. The network´s processing activities are classified as being highly risky, for they involve the processing of a large amount of personal data affecting a large number of data subjects (among which are children, considered vulnerable natural persons). This means that a data breach and a subsequent data disclosure could threaten the rights and freedoms of the individuals, or cause their discrimination.

We see that the company could soon be facing real challenges, both in matters of security and privacy, because according to the European Union´s General Data Protection Regulation (GDPR), failure to comply with basic processing principles, including conditions for consent (Art. 5,6,7,9), and failure to comply with data subject´s rights (Art 12-22) are considered major infringements, and could result in a fine of €2 million or 4% of the previous year turnover, whichever is higher. Furthermore, the risk of facing direct enforcement actions and having to fully compensate data subjects in a close future is high.

The GDPR will enter into force on May 25th. It is therefore vital for Facebook to prioritize getting its privacy house in order, by focusing on high-risk areas such as cross-border data transfers, consents and data subject´s rights. Nonetheless, I believe it is inevitable that the reputational and financial risks that the network faces will end up being reflected in its pricing. We have already seen this happening, either under the form of a very low-payment WhatsApp business model, or in the premium Spotify business model. Whether we end up giving our consent to be hammered with more advertisement or being users of a premium social network, it is for Facebook to decide.

Written by: Rita Fernández Gasalla, LLB Student

Assignment: Disruption and Technology in the Legal Markets

Professor: Cristina Sirera