March 2018 proved to be quite an eventful month in the world of data technology, privacy, consumer rights and how all of these can be violated and used for profits disregarding rules and regulations.
The scandal that brought to light the monetization of Facebook personal data created a temporary increase in awareness for Facebook users all over the globe to think about how their personal data is handled and what it could mean for them.
As you all have probably heard by now as well, there is this legal document called the General Data Protection Regulation (or 'GDPR' for short) being implemented on the 25th of May which will have widescale effects for EU citizens and businesses falling under the EU law alike. It is a mechanism to provide EU citizens, or 'Data Subjects', with proper control over how their data will be handled, stored, used and deleted and is able to impose hefty fines on the data controllers for non-compliance with the articles set out therein.
In this article, we're going to have a look at Facebook's newly updated Terms & Conditions and how well they (will) comply with the GDPR.
'If it's free, you're the product.'
Facebook has proven to be an essential tool for businesses, especially advertisers, to provide highly specified and targeted advertisement content to Facebook users based on their preferences – by liking certain pages, Facebook gathers valuable data into what you might and might not be interested in. It's a huge business. Statistics show that Facebook generated $39.94 billion in 2017 and these revenues have been exponentially increasing since Facebook introduced the advertising system in 2009.
Following a recent request by a client, we delved into the newly updated terms & conditions that will come into effect on May the 25th, and what this means for them as an advertiser or as an agent of an advertiser under the GDPR and how compliant we can expect Facebook to be.
Data Processing and the role of Facebook
Under the GDPR a distinction is made between a Data Controller and a Data Processor. This is important with regards to responsibilities and the thereto related liability that can arise.
A data controller controls the overall purpose and means – the 'why' and 'how' of the data to be used. A data controller can use an external third party to process the data on its behalf. The data processor however does not control the data and cannot change the purpose or use of the particular set of data. The data processor is limited to processing the data according to the instructions and purpose given by the data controller.
What is important, is for the data controller to receive explicit consent from the data subject for the use of its data. When looking at the Data Processing Terms we see that article 1 sub 2 which covers the consent for the use of sub-processors by Facebook is too poorly worded to exhibit full compliance with the GDPR. The second sentence reads "If you reasonably object to such additional sub-processor(s), you may inform Facebook in writing of the reasons for your objections. If you object to such additional sub-processor(s), you should stop using the Services and providing data to Facebook."
This essentially comes down to: 'If you don't like it, you can let us know why. However, you should just stop using our services and provide us with data if you don't like it. We're not going to do anything about you not liking it anyway.'
Stand your ground
So then, how should someone go about this? Nowhere on the page can I find an e-mail address where I can send my long list of objections towards. Considering I have a Facebook account, I checked it under my "Settings" tab. Apparently the "Support Inbox" is, as the name suggests, only a place to read received messages. The "Your Facebook Information" tab only shows you the possibility to access and download the information you have shared with Facebook, which is very limited in its design.
So there are two possibilities right now: either you have a Facebook account or you don't have one. In both cases however, you have the right following from articles 13-15 GDPR to
receive all the data a controller has about you. Using the "Download your information" tool within the Facebook environment fails to comply with even the current EU data protection law on data downloads. Subject Access Requests provide data subjects with the right to request not just the information they have voluntarily uploaded to a service, but also personal data the company holds about them; Including giving a description of the personal data; the reasons it is being processed; and whether it will be given to any other organizations or people.
"Facebook not only does not include people’s browsing history in the info it provides when you ask to download your data — which, incidentally, its own cookies policy confirms it tracks (via things like social plug-ins and tracking pixels on millions of popular websites etc etc) — it also does not include a complete list of advertisers on its platform that have your information.
Instead, after a wait, it serves up an eight-week snapshot. But even this two month view can still stretch to hundreds of advertisers per individual." (via: https://techcrunch.com/2018/04/18/data-experts-on-facebooks-gdpr-changes-expect-lawsuits/)
To actually find a way in how to send Facebook an e-mail with a reasonable objection or a request to access your data if you don't have an account, you have to search Google for a relevant information page, which brought up the following support page: Accessing and downloading your Facebook information which shows you information on how to access and download your data if you have a Facebook account.
However, in the case you don't have a Facebook account you have to select the checkbox "this doesn't answer my question" which magically opens another paragraph and shows the first publicly available Facebook e-mailaddress I've personally come in contact with:
"Please provide us with the following information and we'll follow up. Alternatively, you can email email@example.com"
Not only does this fail to meet the requirements of article 25 GDPR on the privacy by design and privacy by default, this is also contrary to article 12 GDPR which states explicitly that "[t]he controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language [...]".
The Advertiser's plight
Under the GDPR advertisers can be considered both a data controller and data processor most of the times, which doesn't necessarily make the whole ordeal easier.
One of the most important aspects of advertising from May 25th onwards is to receive explicit consent from the data subject in order to continue sending promotional offers.
Most of the times, however, advertisers do not send direct e-mails to their customer list but make use of various promotional tools such as MailChimp or Facebook.
Whereas the consent to provide ads to Facebook users is based on the consent and personal information its users provide to the platform. Explicit consent by the Facebook to the advertisers to target them with ads is thus not required within this relation.
Who does REALLY control the data?
One of the tools Facebook provides advertisers with for the purpose of creating highly targeted, efficient ads is the Custom Audiences creation, which provides the possibility to create an audience using your data, such as e-mail addresses and phone numbers which is locally hashed on your system before you upload and pass such data to Facebook to be used to create your Custom Audience.
If you've so far kept up, you'll notice that the uploading of this personal data brings some questions with it regarding consent and the manner in which the data is processed.
As I've stated before, as a data controller you have a lot of responsibilities under the GDPR, whereas as a data processor these are greatly diminished. Of course then Facebook tries to downplay their role under the Custom Audiences Terms to which the advertiser has to agree if he wants to make use of the feature.
Under "A Note to EU and Swiss data controllers" Facebook claims that the data controllers merely instruct Facebook to act as a data processor on their behalf when making use of the Custom Audiences feature.
However such legal determinations are simply not a matter of contract terms. They are based on the fact of who is making decisions about how data is processed. First of all, Facebook has now acquired a bit of personal information through this process (that an e-mail address they know is known to an advertiser). Consequently, what provides a guarantee they won't be using this information for future profiling? Not to mention whether they don't employ any such acquired data for other tracking algorithms such as the Facebook Pixel and the like.
In addition to this, as I've described above how difficult it is to file a Subject Access Request to Facebook and what kind of information is provided upon this request, it proves that not all of this information is 'forgotten' by Facebook.
As such, Facebook would be classed as a joint controller with any advertisers that upload personal data and does not preclude themselves from being a data controller just by updating their terms & conditions.
Error: case law required
What does this eventually mean for the advertisers using Facebook and all of its tools?
Right now, we don't know. Until there have been a few cases in which these questions are addressed to the Court of Justice of the European Union it is still unclear how this will actually be enforced and dealt with.
In the meanwhile, what I can suggest everyone to do to make sure you're GDPR compliant as a data processor, is to make sure you have all the required Data Processing Agreements in place with your data controllers and your Privacy Statement provides a transparent and effective means for the data subjects to excercise their rights under the GDPR.
If you would like me to have a look at how GDPR-proof your company is, feel free to send me an e-mail at firstname.lastname@example.org