EurActiv.com

EU news and policy debates across languages

29/09/2016

Facebook faces EU and US probes over data harvesting

Digital

Facebook faces EU and US probes over data harvesting

Sign-up page for Facebook, featuring founder Mark Zuckerberg and data disclaimer. [Facebook]

Facebook faces separate investigations by EU and US data regulators over its plans to collect web browsing histories for targeted advertising after a complaint by consumers on both sides of the Atlantic.

The social media giant wants to use cookies and pixel tags to harvest data and use it to match adverts to users’ interests.

Facebook already collects browsing information on its website and through its mobile apps but this could now be expanded to any website with the right coding. The company’s new data harvesting policy is planned for the US first before being rolled out in Europe.

The Trans Atlantic Consumer Dialogue (TACD), an organisation of leading American and European consumer rights groups, wrote to the Irish Data Protection Commissioner Billy Hawkes and to the US Federal Trade Commission on Tuesday (29 July).

The letter said Facebook would routinely monitor web browsing despite “prior representations upon which users may have relied”.

“We urge you to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current US and EU law,” the letter added, before calling for the investigations’ finding to be made public.

A Facebook spokesman told EurActiv, “The level of control people have over advertising on Facebook exceeds industry standards.

“Anyone can opt out of advertising based on the websites they visit and apps they use, and we offer ad preferences, a way for people to add and remove interest categories to improve the ads they see on Facebook,” the spokesperson said in emailed comments.

The European complaint had to be filed in Ireland, the site of Facebook’s European headquarters. Under current EU law objections must be made to the data regulator in the country where the company is based. One proposed measure in the EU’s overhaul of personal data laws is to introduce a “one stop shop” that allows complaints to be made to data authorities in their own country.

2011 audit

TACD asked the Irish regulator to establish if the move breached privacy recommendations made in its 2011 investigation into Facebook. That audit said there are limits to the extent user-generated personal data can be used for targeting advertising.

The company undertook to ensure full transparency in its targeted advertising in response to the report, as part of a series of commitments.

TACD said the report promised Facebook was complying with higher privacy standards. “In light of that we question how this new vast expansion of the social network’s data collection and user profiling could have been allowed to go forward,” it added.

The Irish regulator said on Wednesday (30 August) it was considering what action to take.

The European Commission said it was monitoring the situation. Enforcement of EU data protection laws is the responsible of the national regulator, even when the business is processing data across Europe.

US complaint

The complaint to the Federal Trade Commission focused on whether the decision violates a consent order imposed by the supervisor on Facebook. 

TACD argued that Facebook fails to properly inform consumers about its tracking policies and does not adequately get consent for its data collection, both requirements of the order.

“Users’ web browsing history is far outside the scope of the information users expect Facebook to collect,” the letter said. It pointed out that an opt-out cookie was automatically removed whenever a user cleared their browsing history, making it useless.

//player.vimeo.com/video/97740886

Class action lawsuit

Separately on Friday (1 August), an Austrian law student called for Facebook users to join a class-action lawsuit against the company’s alleged violations of its users’ privacy.

Max Schrems is seeking injunctions under EU data protection law in a Vienna court and has a separate case pending against Facebook at the European Court of Justice.

Under Austrian law, a group of people may transfer their financial claims to a single person. Legal proceedings are then effectively run as a class action.

Schrems is claiming damages of €500 per user for alleged data violations. They include aiding the US National Security Agency in running its Prism programme, which mined the personal data of users of Facebook and other web services.

Facebook has come under fire before for allegedly violating data protection laws.

Most recently, Britain’s data watchdog began an investigation into whether a 2012 experiment on unwitting users, in which it tried to alter their emotional state to see if their postings turned more positive or negative.

The world’s biggest social network, Facebook now has 1.32 billion users. It posted a 61% increase in sales in the second quarter thanks to mobile advertising, sending its shares to a record high and valuing the company at almost $200 billion.

http://www.euractiv.com/infosociety/eu-watchdog-slams-facebook-priva-news-494168

Background

The world's biggest social network, Facebook now has 1.32 billion users. It posted a 61% increase in sales in the second quarter of 2014 thanks to mobile advertising, sending its shares to a record high and valuing the company at almost $200 billion.

Facebook has been criticised by some for the way it handles users data. In December 2011, the Irish Data Protection Commissioner's office published its audit of the social media giant. Facebook, whose European headquarters are in Ireland, made several commitments after the report regarding privacy.

Consumers have written to regulators over Facebook's plans, announced in June, to expand its targeted advertising. The social media giant wants to use cookies and pixel tags to harvest data and use it to match adverts to users’ interests. Facebook already collects browsing information on its website and through its apps but this could now be expanded to any website with the right coding. The new policy is planned for the US first before being rolled out in Europe.

The EU is currently overhauling its data protection rules. The European Commission published in January 2012 a broad legislative package aimed at safeguarding personal data.

The package consists of two legislative proposals: a general regulation on data protection (directly applicable in all member states) and a specific directive (to be transposed into national laws) on data protection in the area of police and justice.

The new rules propose to include provisions catering for the "right to be forgotten", data portability and access to personal data.

Timeline

  • September onwards: Council of Ministers to discuss data reform package

Further Reading