Facebook is confronting EU users a new “terms of service” dialogue that denies access until a user opt-ins to tracking for ad targeting, and various other data processing purposes...
These Terms refer to the “data policy” that says “we use the information we have about you – including information about your interests, actions and connections – to select and personalise ads, offers and other sponsored content that we show you.”
The data policy also says “We use the information [including] the websites you visit and ads you see … to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and…” See facebook.com/about/privacy/…
This appears to breach several important principles of the #GDPR, including the principle of purpose limitation, freely given, non-conditional consent, and of transparency. In other words, if Facebook attempts to collect consent in this manner, that consent will be unlawful.
European Regulators have been very clear on this point. See for example Article 29 WP guidance on conflation of multiple purposes iapp.org/media/pdf/reso…
Then, a mere 24 days before the application of the #GDPR, $FB's head of privacy announces plans to build “Clear History”, with which users can opt-out of Facebook collecting data about their visits to other websites and apps.
But the GDPR demands not an opt-out, but an opt-in.
Nor is Clear History available to non-Facebook users.
A further sign of Facebook’s brinksmanship: it said “it will take a few months to build Clear History”, which means that the feature will not be available to users until long after the GDPR has been applied later this month.
Facebook is playing a dangerous game of “chicken” with the regulators. Reading through a recent court ruling from the Brussels Court of First Instance shows how dangerous this is for the company.
Here are some quotes: "The court has come to the decision that in all the cases described, Facebook does not obtain any legally valid consent in the sense of Article 5 (a) Privacy Act [Data Protection Directive] and Article 129 ECA [ePrivacy] for the disputed data processing."
The Court also made clear that consent requests must be specific: "Specific means that the expression of will must related to a specific instance or category of data processing and can thus not be obtained on the basis of a general authorization for an open series of processing."
This part of the ruling was based on Article 1, section 8, of the Belgian Privacy Act, which uses the same formula of words as Article 4, paragraph 11, of the GDPR (“freely given, specific, informed…”).
In other words, the Court is upholding a standard that is virtually identical to the standard that will apply under the GDPR. Facebook’s new GDPR consent dialogue faces the same problem, and is unlawful for the same reason.
The Court also found that Facebook users are not clearly told what “purposes” Facebook processes the personal data for. Nor does it clearly explain its use of sensitive data including any personal data that could reveal religious belief, sexual orientation, etc.
Facebook has recently gone some way to inform users about the use of personal data concerning their political interests, but this is only a partial solution to a far broader risk for the company. Its handling of sensitive categories of personal data will be a major challenge.
Unsurprisingly in the aftermath of the Cambridge Analytica scandal, the Court found that Facebook did not properly disclose who it was sharing the data with.
The ruling that Facebook was not even complying with its own self-regulatory system. Whatever one’s view of the “adchoices” self-regulatory system, it is quite remarkable that Facebook continued to track people even if they had already used it to opt out.
The Brussels Court ordered Facebook to pay €250,000 per day, up to a maximum of €100 million, until it stopped its unlawful behavior. This was a strong statement.
To put this fine in to perspective, consider that Belgium has a population of 11.35 million people, which is only 2% of the population of the EU. At the same value per person, the EU equivalent would be €12.5 million per day, up to a maximum of €5 billion.
In addition, Facebook was ordered to submit to an independent expert supervising its deletion of all illegal data that it had amassed about every user on Belgian soil.
It also had to make sure that third parties to whom it provided illegal data do the same. The Cambridge Analytica scandal shows that this last point about insuring that third parties delete their copies of Facebook’s illegally accumulated data will be impossible for Facebook.
Recall that Mark Zuckerberg told US lawmakers: When developers told us they weren’t going to sell data, we thought that was a good representation. But one of the big lessons we’ve learned is that clearly, we cannot just take developer’s word for it.
Video this remarkable statement is at c-span.org/video/?443490-…. In other words, Facebook was sharing personal data without any control whatsoever.
As I argue in this thread
External Tweet loading...
If nothing shows, it may have been deleted
by @johnnyryan view original on Twitter
this is no different from what every major website currently does when it sends visitors’ personal data in RTB bid requests.
Even if the original collection of the data had been lawful, this uncontrolled distribution would certainly is not. Again, the parallel with RTB bid requests should give publishers and adtech vendors pause.
Important lesson from the Belgian case: what the Article 29 Working Party says matters. #Adtech vendors continue to ignore it at their peril.
Although the Court is the arbiter, it relied on the Working Party’s authoritative opinions throughout its ruling. The ruling cited WP opinions on consent (15/2011), online behavioral advertising (2/2010), purpose limitation (2/2013), and data controllers and processors (1/2010).
The requirements of European data protection law have been well illuminated by the public guidance of the Article 29 Working Party for over two decades, and provide an invaluable guide to businesses scrambling to comply with a body of law largely neglected hitherto.
The Court also ruled that Facebook cannot reject users who refuse to agree to tracking – unless the tracking in question is necessary for the service that a user explicitly requests from Facebook.
This ruling is one of several defeats Facebook has suffered in European courts in recent months. In January, the Berlin Regional Court ruled that Facebook’s approach to consent and terms are unlawful. (See ruling here (in German) pagefair.com/wp-content/upl…)
In April, the Irish High Court referred important aspects of Facebook’s trans-Atlantic transfers of personal data to the European Court of Justice, once again, for scrutiny. It is likely that worse is to come, unless it significantly changes its approach to data protection.
But the company has options. As unlikely as it may seem now, one can foresee that Facebook will introduce non-personal data based ad targeting to the Newsfeed.
This is likely to be necessary because Facebook will be unable to win lawful consent for some data processing purposes of sensitive personal data (or data processing purposes for regular personal data, that are not “compatible” with purposes that the user has already agreed to).
It seems likely that problem encompasses all personalized advertising on the newsfeed, custom audiences, and social share buttons on other websites. Therefore, Facebook must have a way of targeting ads to non-consenting users. Non-personal data would allow this.
There is a broader lesson. Digital publishers and adtech vendors need to urgently reassess the use of personal data in programmatic advertising, and reflect on how adtech’s shaky consent systems will fare in Europe’s courts.
It may also become important for Facebook to be able to participate in a clean and safe data supply chain, which major advertisers are beginning to show concern about.
See wfanet.org/news-centre/wf…
Our letter contains a summary of the various personal data that are broadcast in the OpenRTB system. Note that these data are very likely to include “special categories” of personal data, since they show what the person is watching and reading, can include brokers’ segment IDs 2/
Unless OpenRTB 3.0 is very radically altered, so that no personal data are contained in the bid request, it appears that it will severely infringe Article 5 of the #GDPR, and all that flows from Article 5’s principles. 3/
Facebook left its API wide open, and had no control over personal data once those data left Facebook.
But there is a wider story coming: (thread...)
Every single big website in the world is leaking data in a similar way, through "RTB bid requests" for online behavioural advertising #adtech. 2/12
Every time an ad loads on a website, the site sends the visitor's IP address (indicating physical location), the URL they are looking at, and details about their device, to hundreds -often thousands- of companies. Here is a graphic that shows the process. 3/12