European regulators will announce next week whether they will punish Facebook for its consumer terms and conditions, after the company was warned in February that its rules do not comply with EU law.
Vera Jourova, the EU Justice Commissioner who oversees consumer rules, told journalists on Monday (16 July), “the practices of Facebook are again under scrutiny after the company has introduced new terms and conditions at the end of April this year and following the Cambridge Analytica case and introduction of the GDPR.”
The GDPR, the EU’s sweeping new data protection law, took effect on 25 May. In March, news broke that political consultancy Cambridge Analytica had analysed data from around 87 million Facebook users without their consent.
Jourova’s concerns over Facebook’s terms and conditions date back to before the massive data scandal. She warned Facebook and Twitter in February that they must change their rules to give consumers clear information explaining why the platforms remove certain posts.
Facebook, Twitter and Google have already complied with an earlier Commission demand to allow EU-based consumers to sue the companies in their home countries. They were previously required to bring cases to courts in California, where the tech companies are based.
“Not all the changes are in line with consumer laws”, the official said.
The group of national consumer protection authorities from EU countries will send a letter to Facebook describing its decision. National consumer regulators act independently since there is no EU-level authority in charge of sanctioning companies. But the watchdogs have cooperated with each other and shared information on company violations in the Facebook case and other large-scale inquiries.
Jourova said on Monday, “we are now looking at how Facebook is asking for consent for personal data. For instance, if they are clear enough in their terms and conditions, how they are using the personal data of people.”
“We would like Facebook to take more responsibility for other apps and third parties that use their service. The story of Cambridge Analytica shows that Facebook must improve how it sees its relationship with other companies that are on the platforms,” she added.
A Facebook spokeswoman had not responded to a request for comment at the time this story was published.
Under the GDPR, people can give their consent to allow companies to process their personal data.
If firms break the data protection law, national privacy regulators must investigate and decide whether to impose sanctions. Jourova oversees both EU data protection and consumer law.
She proposed an overhaul to EU consumer rules in April that would raise the level of fines against companies to a maximum of 4% of their annual turnover in a given European country. The bill is in early phases of legal negotiations.
Christoph Schmon from the European Consumer Organisation, said “there should be heavy and deterrent sanctions” against firms that don’t comply with consumer rules.
Data protection regulators have not weighed in on the decision expected next week on Facebook’s terms and conditions. If consumer regulators choose to sanction the company, those will not be based on the high-level fines outlined in the GDPR.
The UK data protection authority announced last week that it will fine Facebook £500,000, or around €564,000, for violating privacy rules by allowing Cambridge Analytica to collect its users’ data. Elizabeth Denham, the UK information commissioner, said the fine would have been higher if the breach had taken place when the GDPR was already in effect.