Privacy policy FAIL (again): Facebook accused of violating European law

An investigation requested by the Belgian Privacy Commission found that 'Facebook is acting in violation of European law.'

thumbs down for Facebook
Enoc vt (Creative Commons BY or BY-SA)

Well, well, well … Facebook is facing trouble again over its privacy policy. Imagine that.

This time, after the Belgian Privacy Commission requested an investigation into Facebook's policies, an analysis by the Interdisciplinary Center for Law and ICT found that "Facebook is acting in violation of European law."

Facebook rolled out its new policies and terms on January 30th, 2015. In the text, Facebook authorizes itself to (1) track its users across websites and devices; (2) use profile pictures for both commercial and non-commercial purposes and (3) collect information about its users' whereabouts on a continuous basis. Facebook announced the changes more than a month in advance, but the choice for its +1 billion users remained the same: agree or leave Facebook.

The Register reported that Facebook claims its new privacy policy was "an attempt to ‘simplify' its privacy rules." Although the social network claims its new policies are not in breach of the Belgian Data Protection Act, ICRI's investigation into Facebook's policies found the polar opposite to be true.

According to a draft of the report, "A critical analysis of Facebook's Revised Policies and Terms" (pdf), dated today, February 23, there are eight specific problems with Facebook's revised policies and terms: consent, privacy settings, unfair contract terms, issues with data subject rights, collection of location data, tracking practices, problems with how Facebook combines and shares data about users, as well as problems with the way the social network uses user-generated content for commercial purposes.

ICRI explained:

First, Facebook places too much burden on its users. Users are expected to navigate Facebook's complex web of settings (which include "Privacy", "Apps", "Adds", "Followers", etc.) in search of possible opt-outs. Facebook's default settings related to behavioral profiling or Social Ads, for example, are particularly problematic. Moreover, users are offered no choice whatsoever with regard to their appearance in "Sponsored Stories" or the sharing of location data.

Second, users do not receive adequate information. For instance, it isn't always clear what is meant by the use of images "for advertising purposes". Will profile pictures only be used for "Sponsored Stories" and "Social Adverts", or will it go beyond that? Who are the "third party companies", "service providers" and "other partners" mentioned in Facebook's data use policy? What are the precise implications of Facebooks' extensive data gathering through third-party websites, mobile applications, as well recently acquired companies such as WhatsApp and Instagram?

The report goes into details such as "Facebook's opt-out approach for mobile tracking does not provide for legally valid consent" and "Facebook's current opt-out approach does not provide for legally valid consent." Additionally, it was suggested that Facebook should embrace privacy by design for its social plug-in, so it would be privacy-friendly by default. The report (pdf) includes much more.

Yet according to the Guardian, Facebook is "confident" that its recently updated terms and policies are "more clear and concise," and highlight how the social network is "expanding people's control over advertising." Facebook is also confident that its updates "comply with applicable laws."

A Facebook spokesperson added, "As a company with international headquarters in Dublin, we routinely review product and policy updates including this one – with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law."

Surely Facebook realizes that complying with Irish law doesn't necessarily imply its policies comply with Belgian privacy laws? The social network reportedly told the Belgian privacy minister that there had been "misunderstandings" about its new policy. A disingenuous "good luck with that" to Facebook, as The Register reported, "A pan-EU probe is already underway, with the Netherlands, Belgium and Germany all working together as part of a so-called Article 29 taskforce."

Class action lawsuit gunning for Facebook's real-name policy

Meanwhile in the U.S....there is other trouble brewing for Facebook as a result of its real-name policy. Native American Dana Lone Hill had her Facebook account suspended after changing her last name from her mother's, which is Lone Hill, to her father's, which is Lone Elk. Naked Security reported she is "one of many Native Americans whom Facebook shut out over erroneous reports of fake names." So now she is heading up a class action lawsuit against Facebook over its real name policy.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)