Facebook is announcing some interesting steps in the face of the General Data Protection Regulation in their recent blog “Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live“. The steps are presented in a way you could assume Facebook is actually assuring to meet GDPR's requirements. If you dig a little deeper though, important GDPR elements appear to be either dark grey or missing completely.
Before highlighting the non-compliant issues, Facebook deserves some recognition as the steps described are definitely ones in the right direction towards more privacy protection of Facebook users. A good example is the ability to download an extract of your data stored at Facebook. In that way, they’re following Google’s footsteps. Unfortunately, that does not count for all requirements prescribed by GDPR.
A lot of the settings they offer give users control over what data they share with Facebook’s partners. But if you really like control over what Facebook does with your data, you either have to remove the data or close your account. This way, it seems that Facebook is protecting their commercial business model rather than go all-in with regards to GDPR compliance.
In the remainder of this blog, I'll use two examples where Facebook still falls behind when it comes to GDPR compliance.
Example 1: sharing can be a consent killer
Facebook does not provide you the option to limit the use (and as such, the processing of data) of Facebook if you decide to share information with your friends. And they don’t tell you what the exact processing purpose is. Instead, they just give some explanations.
Wait a moment… Isn't sharing not a standard feature of Facebook’s service and the main reason why people use it in the first place? This way, users that don’t want Facebook to collect or process their data can’t connect with friends and family!
This is at the very least a dark grey implementation of what GDPR requires and it bypasses the principle of asking proper and crystal clear consent. It’s obvious that they want to stay away from asking consent as this will make it very clear for users what Facebook actually does with their data and possibly negatively impacts the company’s business.
Example 2: what about consent for teens?
Quote from Facebook: “Even where the law doesn’t require this, we’ll ask every teen if they want to see ads based on data from partners”.
“Under GDPR, people between the ages of 13 and 15 in some EU countries need permission from a parent or guardian to allow specific features on Facebook”.
They’ll ask every teen? And in some countries?
All EU countries have regulation on asking parents or legal guardians for specific authorisation or permission for kids under the age of 16. For some countries this age barrier might be lowered but in no way lower than the age of 13. If they are ‘playing with words’ like that, they sound more like an advertisement and you should not take it all for a fact. If you really want to know how GDPR will impact children's privacy read my blog 'Children’s privacy under GDPR'.
To end with a positive note: overall, Facebook has taken some big steps forward when it comes to data protection and privacy. And it will be interesting to see how they will adapt to this new reality as even their home country (USA) starts turning on the heat. I guess it is no longer just those Europeans that are making a fuss over privacy… ;-)
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.