What aspects of European law is Facebook said to be in breach of?
The report found that:
(i) several clauses in Facebook’s new (2015) Statement of Rights and Responsibilities (SRR) violate the Unfair Contract Terms Directive 93/13/EEC;
(ii) Facebook’s Data Use Policy (DUP) does not comply with the requirements of the e-Privacy Directive 2002/58/EC, art 5(3) (as amended); and
(iii) Facebook tracks non-users in a manner which also violates the e-Privacy Directive.
The report is also critical of the transparency of Facebook’s DUP and the lack of sophisticated control Facebook affords its users, for example over the use of geolocation data.
Perhaps most surprising is the revelation that Facebook tracks non-users without their consent by the placing of cookies on their devices when they visit a Facebook page, which are then harvested when they subsequently visit a third-party website which uses one of Facebook’s social plug-ins such as a ‘like’ button (and there are 13 million such third-party websites including many government and corporate sites). The technical annex to the report also details how EU visitors to Facebook, whether or not they are members of the social network, have a cookie delivered to their device with a two-year lifespan.
What limits does EC law place on the tracking of internet users?
The e-Privacy Directive provides that processing of personal data may only take place if and to the extent that it is justified by one or more specified legitimate grounds. Many such grounds are set out in the e-Privacy Directive, art 7, but the report’s authors have identified the following three that might be relied upon by an online social network such as Facebook:
(i) if the unambiguous consent of the data subject has been obtained
(ii) if the processing is a necessity for the performance of a contract, and/or
(iii) if there is an overriding legitimate interest in the processing of the data
The report finds that only in very limited circumstances can (ii) or (iii) be relied upon, so that for most collection and processing of personal data by Facebook it must show that it has obtained the unambiguous consent of the data subject. In any event the e-Privacy Directive, art 5(3) provides that, where cookies are concerned, users must be offered the right to refuse.
The other most relevant piece of European legislation in this context is the Data Protection Directive 95/46/EC:
(i) arts 10 and 11 provide data subjects with a right to information in relation to how their personal data is processed;
(ii) art 12 provides a right of access for data subjects to their personal data; and
(iii) art 14 provides data subjects with the right to object to their personal data being processed in most contexts relevant to an online social network.
The report is critical of the extent to which Facebook makes these rights available to users (and to some extent non-users), concluding that:
‘Facebook fails to provide (sufficient) granularity in exercising data subjects’ rights. For example the right to erasure can only be exercised with regard to the user’s profile altogether and only relates to self-posted content. The right to object can only be exercised with regard to the visibility of certain content to third parties.’
How have consent policies (cookies etc) developed and have they been successful?
What is driving companies to push the limits of acceptable tracking? What is the benefit to their business?
It can be of great benefit to all parties for a website to know some basic information about an individual user, saving time and making content much more relevant. However, as the report notes, for a company such as Facebook (and similar observations would apply to Google) the ability to track users and collect data about them is key to their business model. These companies’ assets are the data they collect, and the greater the amount of the data and the more sophisticated its relations, the more valuable are those assets. Tracking is therefore vital to these companies’ profitability. The more they know about what we do online, the more they know about us–and the more they know about us, the more powerful and profitable they will become.
Could Facebook face action for breaching European law?
Facebook’s position is that its DUP and SRR are compliant with European laws. It says that its tracking of non-users was a bug that is now being resolved. A Facebook spokesperson is reported in the Guardian as saying:
“This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.”
If Facebook has acted in breach of data protection law, action by private individuals in the UK has become more feasible very recently following the Court of Appeal’s ruling in Vidal-Hall v Google  EWCA Civ 311,  All ER (D) 307 (Mar) which has done away with the need for a claimant for damages under the UK’s Data Protection Act 1998 to show financial loss.
The Belgian Privacy Commission is expected to decide by 29 April 2015 whether or not to act upon the report.
What are the challenges of online consent in an Internet without borders?
Jonathan Price was interviewed by Alex Heshmaty.
This article was first published on Lexis®PSL IP & IT on 17 April 2015