Privacy watchdog doesn’t ‘like’ Facebook’s approach

17/04/2015

A report commissioned by the Belgian Privacy Commission into Facebook’s policies and terms of service has criticised the social media network’s use of cookies and concludes that Facebook is operating in breach of European law in several key respects.

What aspects of European law is Facebook said to be in breach of?

The report found that:

(i) several clauses in Facebook’s new (2015) Statement of Rights and Responsibilities (SRR) violate the Unfair Contract Terms Directive 93/13/EEC;
(ii) Facebook’s Data Use Policy (DUP) does not comply with the requirements of the e-Privacy Directive 2002/58/EC, art 5(3) (as amended); and
(iii) Facebook tracks non-users in a manner which also violates the e-Privacy Directive.

The report is also critical of the transparency of Facebook’s DUP and the lack of sophisticated control Facebook affords its users, for example over the use of geolocation data.

Perhaps most surprising is the revelation that Facebook tracks non-users without their consent by the placing of cookies on their devices when they visit a Facebook page, which are then harvested when they subsequently visit a third-party website which uses one of Facebook’s social plug-ins such as a ‘like’ button (and there are 13 million such third-party websites including many government and corporate sites). The technical annex to the report also details how EU visitors to Facebook, whether or not they are members of the social network, have a cookie delivered to their device with a two-year lifespan.

What limits does EC law place on the tracking of internet users?

The e-Privacy Directive provides that processing of personal data may only take place if and to the extent that it is justified by one or more specified legitimate grounds. Many such grounds are set out in the e-Privacy Directive, art 7, but the report’s authors have identified the following three that might be relied upon by an online social network such as Facebook:

(i) if the unambiguous consent of the data subject has been obtained
(ii) if the processing is a necessity for the performance of a contract, and/or
(iii) if there is an overriding legitimate interest in the processing of the data

The report finds that only in very limited circumstances can (ii) or (iii) be relied upon, so that for most collection and processing of personal data by Facebook it must show that it has obtained the unambiguous consent of the data subject. In any event the e-Privacy Directive, art 5(3) provides that, where cookies are concerned, users must be offered the right to refuse.
Cookies are the most common method of tracking internet users. They are small packages of software that are placed onto a user’s device, uniquely identifying that device and capable of gathering data about how, where and when it has been used, for upload to the cookie’s owner at some future time. Almost all commercial websites now use cookies, and the data they gather is used most commonly to target advertising.

The other most relevant piece of European legislation in this context is the Data Protection Directive 95/46/EC:

(i) arts 10 and 11 provide data subjects with a right to information in relation to how their personal data is processed;
(ii) art 12 provides a right of access for data subjects to their personal data; and
(iii) art 14 provides data subjects with the right to object to their personal data being processed in most contexts relevant to an online social network.

The report is critical of the extent to which Facebook makes these rights available to users (and to some extent non-users), concluding that:
‘Facebook fails to provide (sufficient) granularity in exercising data subjects’ rights. For example the right to erasure can only be exercised with regard to the user’s profile altogether and only relates to self-posted content. The right to object can only be exercised with regard to the visibility of certain content to third parties.’

The message in the report is that the use of social networks is now so ubiquitous that Facebook’s ‘take it or leave it’ privacy policy is not good enough–users should be given greater adjustability in the control they have over their personal data.

How have consent policies (cookies etc) developed and have they been successful?

In June 2012 the European data protection authorities (through the Article 29 Working Party) issued an opinion that sought to distinguish between types of cookies and to suggest different policies depending upon the nature of the cookie and the privacy risk created. The opinion noted that ‘first-party analytic cookies’ (for example a cookie from the operator of the website a user is visiting aimed at improving the working of that website) do not always require informed consent. However, the cookies most frequently encountered are third-party cookies set for the collection of commercially valuable data and these certainly require the informed consent of the user. Such consent may be implied–it is the need for it to be informed that has given rise to the commonly experienced ‘cookie policy’ boxes found on most websites. There is little evidence that the text in these boxes is in fact read in practice, casting doubt on the efficacy of both the law and its implementation. Consent is certainly routinely given, however few users properly understand to what they are consenting.

What is driving companies to push the limits of acceptable tracking? What is the benefit to their business?

It can be of great benefit to all parties for a website to know some basic information about an individual user, saving time and making content much more relevant. However, as the report notes, for a company such as Facebook (and similar observations would apply to Google) the ability to track users and collect data about them is key to their business model. These companies’ assets are the data they collect, and the greater the amount of the data and the more sophisticated its relations, the more valuable are those assets. Tracking is therefore vital to these companies’ profitability. The more they know about what we do online, the more they know about us–and the more they know about us, the more powerful and profitable they will become.

Could Facebook face action for breaching European law?

Facebook’s position is that its DUP and SRR are compliant with European laws. It says that its tracking of non-users was a bug that is now being resolved. A Facebook spokesperson is reported in the Guardian as saying:

“This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.”

If Facebook has acted in breach of data protection law, action by private individuals in the UK has become more feasible very recently following the Court of Appeal’s ruling in Vidal-Hall v Google [2015] EWCA Civ 311, [2015] All ER (D) 307 (Mar) which has done away with the need for a claimant for damages under the UK’s Data Protection Act 1998 to show financial loss.

The Belgian Privacy Commission is expected to decide by 29 April 2015 whether or not to act upon the report.

What are the challenges of online consent in an Internet without borders?

As the report points out, the tracking techniques deployed by Internet companies are constantly evolving. In fact it is becoming increasingly possible to track users across the web without the use of cookies at all through techniques known as ‘fingerprinting’, thus rendering the protection in the e-Privacy Directive, art 5(3) outdated. While the data collected by such techniques is still capable of attracting the protection of the Data Protection Directive, the collection itself may be outside the current scope of the law. However, as the European Court of Justice has demonstrated in Google Spain SL and another company v Agencia Espanola de proteccion de Datos (AEPD) and another: C-131/12 [2014] All ER (D) 124 (the ‘right to be forgotten case’) and consistent with the new data protection ‘super-regulation’ due to be passed this year and come into force by 2017, European data protection law will soon apply to any company that does business here, regardless of where it is established.

Jonathan Price was interviewed by Alex Heshmaty.

This article was first published on Lexis®PSL IP & IT on 17 April 2015