Johnny Ryan

These Terms refer to the “data policy” that says “we use the information we have about you – including information about your interests, actions and connections – to select and personalise ads, offers and other sponsored content that we show you.”

The data policy also says “We use the information [including] the websites you visit and ads you see … to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and…” See https://www.facebook.com/about/privacy/update …

This appears to breach several important principles of the #GDPR, including the principle of purpose limitation, freely given, non-conditional consent, and of transparency. In other words, if Facebook attempts to collect consent in this manner, that consent will be unlawful.

Then, a mere 24 days before the application of the #GDPR, $FB's head of privacy announces plans to build “Clear History”, with which users can opt-out of Facebook collecting data about their visits to other websites and apps. But the GDPR demands not an opt-out, but an opt-in.

Nor is Clear History available to non-Facebook users. A further sign of Facebook’s brinksmanship: it said “it will take a few months to build Clear History”, which means that the feature will not be available to users until long after the GDPR has been applied later this month.

Facebook is playing a dangerous game of “chicken” with the regulators. Reading through a recent court ruling from the Brussels Court of First Instance shows how dangerous this is for the company.

Here are some quotes: "The court has come to the decision that in all the cases described, Facebook does not obtain any legally valid consent in the sense of Article 5 (a) Privacy Act [Data Protection Directive] and Article 129 ECA [ePrivacy] for the disputed data processing."

See the ruling text https://pagefair.com/wp-content/uploads/2018/04/Belgian-Court-judgement.pdf …

The Court also made clear that consent requests must be specific: "Specific means that the expression of will must related to a specific instance or category of data processing and can thus not be obtained on the basis of a general authorization for an open series of processing."

This part of the ruling was based on Article 1, section 8, of the Belgian Privacy Act, which uses the same formula of words as Article 4, paragraph 11, of the GDPR (“freely given, specific, informed…”).

In other words, the Court is upholding a standard that is virtually identical to the standard that will apply under the GDPR. Facebook’s new GDPR consent dialogue faces the same problem, and is unlawful for the same reason.

The Court also found that Facebook users are not clearly told what “purposes” Facebook processes the personal data for. Nor does it clearly explain its use of sensitive data including any personal data that could reveal religious belief, sexual orientation, etc.

Unsurprisingly in the aftermath of the Cambridge Analytica scandal, the Court found that Facebook did not properly disclose who it was sharing the data with.

The Brussels Court ordered Facebook to pay €250,000 per day, up to a maximum of €100 million, until it stopped its unlawful behavior. This was a strong statement.

To put this fine in to perspective, consider that Belgium has a population of 11.35 million people, which is only 2% of the population of the EU. At the same value per person, the EU equivalent would be €12.5 million per day, up to a maximum of €5 billion.

In addition, Facebook was ordered to submit to an independent expert supervising its deletion of all illegal data that it had amassed about every user on Belgian soil.

It also had to make sure that third parties to whom it provided illegal data do the same. The Cambridge Analytica scandal shows that this last point about insuring that third parties delete their copies of Facebook’s illegally accumulated data will be impossible for Facebook.

Recall that Mark Zuckerberg told US lawmakers: When developers told us they weren’t going to sell data, we thought that was a good representation. But one of the big lessons we’ve learned is that clearly, we cannot just take developer’s word for it.

Video this remarkable statement is at https://www.c-span.org/video/?443490-1/facebook-ceo-mark-zuckerberg-testifies-data-protection&live&start=4929# …. In other words, Facebook was sharing personal data without any control whatsoever.

As I argue in this thread https://twitter.com/johnnyryan/status/976812663991914496?lang=en … this is no different from what every major website currently does when it sends visitors’ personal data in RTB bid requests.

Even if the original collection of the data had been lawful, this uncontrolled distribution would certainly is not. Again, the parallel with RTB bid requests should give publishers and adtech vendors pause.

Important lesson from the Belgian case: what the Article 29 Working Party says matters. #Adtech vendors continue to ignore it at their peril.

Although the Court is the arbiter, it relied on the Working Party’s authoritative opinions throughout its ruling. The ruling cited WP opinions on consent (15/2011), online behavioral advertising (2/2010), purpose limitation (2/2013), and data controllers and processors (1/2010).

The requirements of European data protection law have been well illuminated by the public guidance of the Article 29 Working Party for over two decades, and provide an invaluable guide to businesses scrambling to comply with a body of law largely neglected hitherto.

This ruling is one of several defeats Facebook has suffered in European courts in recent months. In January, the Berlin Regional Court ruled that Facebook’s approach to consent and terms are unlawful. (See ruling here (in German) https://pagefair.com/wp-content/uploads/2018/04/Berlin-Court-judgement-German.pdf …)

In April, the Irish High Court referred important aspects of Facebook’s trans-Atlantic transfers of personal data to the European Court of Justice, once again, for scrutiny. It is likely that worse is to come, unless it significantly changes its approach to data protection.