News & publications
Can Facebook and user privacy co-exist?- 06/02/2012
This article was first published in Intellectual Property Magazine, 6 February 2012.
Manches’ Margaret Tofalides and Edward Colclough consider Facebook’s recent run-ins with US and EU privacy laws and the impact this will have on the dominant social media site in 2012.
Mark Zuckerberg’s $100 billion business model was founded on the idea that “people want to share and connect with people in their lives”. If sharing has been the foundation of Facebook’s success then a recent wave of privacy concerns in the US and EU has left many onlookers and users asking whether Facebook and user privacy can really co-exist.
Federal Trade Commission (FTC) privacy concerns
On 29 November 2011, Facebook agreed to settle charges with the US FTC in response to complaints filed in 2009 by the Electronic Privacy Information Center (a public interest research group) and a coalition of US consumer groups over Facebook’s privacy practice.
Announcing its settlement with Facebook, the FTC said that it believed Facebook had breached the US Fair Trade Act by engaging in “unfair and deceptive” practices and that Facebook had deceived consumers by failing to honour privacy promises.
The FTC investigation found that Facebook users had been promised that they could keep their information private while Facebook “repeatedly” allowed such information to be made public or shared with others. Without warning its users, Facebook altered its website so that information that was previously designated as private, such as friend lists and restricted data, was made available to the public. The FTC also found that Facebook had allowed advertisers to glean personally identifiable information when users clicked on an advertisement on their Facebook page, and that third-party apps that users installed had access to nearly all of the users’ personal data. In summarising what seemed a comprehensive dismissal of the website’s practices, the FTC chairman, Jon Leibowitz, concluded, “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”
FTC settlement
The settlement bars Facebook from making future misrepresentations about the privacy of consumers’ information, requires Facebook to first obtain users’ express affirmative consent before making changes to privacy preferences, and obliges Facebook to establish and maintain a comprehensive privacy programme to address privacy risks throughout the future development of the site.
Facebook must also undergo independent audits of its privacy practices every two years for the next 20 years. In addition, a penalty of $16,000 a day will be imposed for future breaches of the settlement agreement. No fine was levied against Facebook and the commission fell short of accusing it of intentionally violating the law.
Did the FTC show enough teeth? Last year the FTC also settled complaints with Silicon Valley giants Twitter and Google over serious data security lapses and the fraudulent collection of data. This recent settlement clearly cements an ongoing agenda to uphold privacy standards in an industry that has flaunted privacy boundaries in times of vast growth.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, acknowledged the settlement as a movement towards better privacy protection. However, he noted that the US still lacks a comprehensive privacy framework. While the Facebook settlement shoots a clear signal of intent that lax consumer privacy practices will be punished, individual settlements with companies such as Facebook, fall short of implementing a comprehensive framework to protect consumer privacy. In an industry dominated by updates and innovation, companies like Facebook will always be trying to push the boundaries, and the need for such a framework is all the more necessary.
Facebook v Europe
Across the Atlantic, Facebook faces equally uncomfortable privacy questions in the EU. The Data Protection Commissioner (DPC) of Ireland has recently audited Facebook Ireland and, releasing its report on 22 December 2011, identified a wide range of improvements which Facebook will have to implement over the next six months. The EU Justice Commissioner, Viviane Reding, has also called for the existing EU laws on data protection to be replaced in early 2012. Reding has called for a single bloc-wide reform, arguing that the current law on data protection pre-dates the rise of the social media phenomenon and is ill-equipped to deal with companies like Facebook.
The DPC’s comprehensive audit of Facebook included reviews of its operations, privacy practices and parts of its software code. The audit was partly prompted by complaints made by a group of Austrian students lobbying under the name Europe v Facebook. The group was spurred by Max Schrems, a 24 year-old law student, who wrote to Facebook requesting that he be provided with all the data Facebook held on him. Schrems was shocked when he duly received a detailed dossier documenting his activity over the past three years in the form of a CD of data divided into 57 categories containing over 1,200 pages of Facebook wall posts, messages, removed friends and ‘pokes’ – all information Schrems believed he had deleted. From the information provided, Schrems and his fellow students formulated 16 complaints against Facebook’s privacy practices in the EU.
DPC report
A prominent complaint in the build-up to the audit was that Facebook was creating ‘shadow profiles’ of non-users by collecting email addresses and excessive information on them without giving notice or obtaining consent. The audit found no evidence of this. The DPC did, however, make a series of best practice recommendations which after implementation would, in their mind, make Facebook compliant with the law and alleviate some of the complaints made against Facebook. The results of these implementations will certainly cast a significant change to the service that Facebook currently provides in Europe.
The DPC report imposes requirements on Facebook to help users make informed choices about how their information is used and shared on the website, to delete certain data promptly and to simplify and make more prominent explanations of its privacy policies.
So how will life change for users?
Facebook has committed itself to a policy of full transparency in informing users how their personal data will be used for ‘targeted advertising’ – a process where advertisers target advertisements to the web pages of a particular demographic, and Facebook anonymously selects the relevant people of that demographic. Users will further be given the right to control social advertisements through their privacy settings and be provided with greater options to block such advertisements. Going forward, users will also be required to give their consent before being added as a member of certain Facebook groups. Users should expect to receive far more information on how their data will be used and to be asked for their affirmative consent.
Less noticeable to users, Facebook will implement a robust process for deleting unnecessarily held data. It will move to irrevocably deleting all user accounts and data on request within 40 days of receipt of the request. The DPC commented that “the current policy of retaining ad-click data indefinitely is unacceptable” and Facebook has immediately changed to a two year retention period. In addition, all personal data collected will have to be deleted when the purpose for which it was collected has ceased. Data collected from social plug-ins will be anonymised within 10 days and deleted after 90 days.
In principle the DPC found no fault in Facebook’s controversial facial recognition tag (a technology which uses facial recognition software to identify individuals in photos uploaded and subsequently encourages users to tag these individuals so that they are easily identifiable). However, the DPC did say that “[Facebook] should have handled the implementation of this feature in a more appropriate manner” and recommended that consent must be obtained (rather than automatically opted-in), and that a prominent warning be given to users about this feature. In relation to information obtained by third-party apps, Facebook will now provide users with clearer terms and conditions and an easier mechanism for them to consent to their personal data being used by third-party apps.
A major theme that jumps out from the DPC report is the need for improved communication to users and a more simplified and comprehensible privacy policy. The report will trigger considerable privacy tweaks and some reverse moves by Facebook in the area of user privacy. Whether users will be the ultimate winners remains to be seen over the next six months while the implementations take effect. That said, at the beginning of 2012 Facebook users certainly appear to be in a better position in terms of data protection and user privacy than at the same time last year.
The collective concerns of regulators, privacy campaigners and the general public in the US and EU have highlighted Facebook’s privacy flaws in 2011. The almost too powerful social media website has been forced to readdress its aggressive approach in relation to user privacy that has, to date, proven so successful both financially and with users. As a result, Facebook has started 2012 with a number of resolutions that will enhance its privacy policies and preserve data protection for its users.
A right to be forgotten
While Facebook starts the year with clear intentions, one thing that remains distinctly hazy on both sides of the Atlantic is the law that governs data protection in relation to social media sites. The US has no comprehensive privacy framework and the current EU law - having been transposed by Member States in 27 different ways - is fragmented.
This is something the EU Justice Commissioner, Viviane Reding, has explicitly identified. Reding believes that a more consistent and effective enforcement of data protection is needed throughout the EU; and that doing so will instil trust in emerging technologies and assist growth and competiveness in this market. Underlining her proposed revamp of EU data protection law, Reding has stressed that, “a US-based social network company that has millions of active users in Europe needs to comply with EU rules.” It is envisaged that national privacy watchdogs in the EU will be granted the power to investigate non-EU data controllers whose services target EU consumers.
The draft legislation is set to be released on 25 January 2012 and will demonstrate the EU’s commitment to protecting consumer privacy. Reding asserts that “users should be in control of their data” and has identified four pillars upon which the privacy rights of EU citizens should be founded: the ‘right to be forgotten’, ‘transparency’, ‘privacy by default’ and ‘protection regardless of location’.
The ‘right to be forgotten’ will require data controllers to delete data when an individual has withdrawn their consent to it being processed. This right will require data controllers to prove that the data they hold is necessary rather than individuals having to prove that it is not necessary. The right to ‘transparency’ will require data controllers to fully inform individuals about which of their data will be collected and for what purposes. ‘Privacy by default’ acknowledges that privacy settings are not a reliable indication of user consent, and use of data for any other purposes than those specified must only be allowed with the explicit consent of the user. ‘Protection regardless of location’ commits to providing homogeneous privacy standards throughout the EU for all products targeted at EU consumers.
Social media sites will be watching closely over the coming months as these four pillars are debated. They will also have a close eye on the new sanctions regime. Based on the principle that penalties must be ‘effective, proportionate and dissuasive’ the draft regulation provides for a maximum fine of 5% of global turnover, similar to the EU’s competition law maximum fine of 10% of global turnover. It is clear that Reding aims for EU law to lead the way in forcing global companies to strengthen their data protection.
What’s next for Facebook?
Facebook has changed the way we view privacy – people now openly share information about their age, address, relationship status, academic background, political views, likes and dislikes and even those embarrassing photos. This shift in attitude, encouraged by Facebook constantly pushing privacy boundaries, has underpinned its spiralling global success. In doing so, Facebook has become known for innovating first and sorting out later.
Recent run-ins with privacy law have forced Facebook to reassess its approach to user privacy. With a reported $100 billion flotation in the pipeline, Facebook will desperately want to put investors’ nerves at ease on this topic. Whether or not it likes or dislikes the changes that will follow, Facebook will need to become better friends with privacy law in 2012.