Facebook and the protection of data

It has been impossible to miss the extreme level of scrutiny that Facebook has been placed under in the past few months. The revelations that approximately 87 million users, without their consent, had their data harvested by political marketing firm, Cambridge Analytical, has raised public awareness of Facebook’s problem with data handling. Following the incident, Facebook chief executive Mark Zuckerberg was questioned by the United States Congress, where he made it clear that the General Data Protection Regulation (GDPR) is “going to be a positive step for the internet”.

The GDPR, coming into force next month, requires companies to identify a legal basis for each type of processing of personal data. Where you do not need to process data in order to perform your contract with the data subject, you are likely to need the consent of the data subject unless you can show that it is in your legitimate interests and that the data subject would expect you to process the data in that way. If you are relying on consent, this consent must be requested in clear and plain language, and must be as easy to withdraw as to give. With this in mind, there is no doubt that the GDPR is placing Facebook under pressure to update their data protection policies to comply with the stricter provisions.

How is Facebook complying with the GDPR?

Last week, Facebook asked European users to review their privacy settings, and the way the company uses their data. This included asking users to review information in relation to:

• Adverts. Where Facebooks allows users to block targeted advertisement based on data about their browsing behaviours.

   

• Sensitive information, specifically sexual preference, religious views and political views. Facebook does not share user’s sensitive information, but will still be required to get explicit consent from data subjects to store or otherwise process that sensitive personal data and therefore this option allows users to remove any information which the user does not want other users to see.

   

• Face recognition technology, while banned in the European Union, users are now given the option to consent to turning it back on.

   

• Facebook also asked users to accept a revised Privacy Policy, which is more explicit and easy to read.

   

Users are free to consent to each section by pressing the large, blue “I Accept” button at the bottom of the page. If users want to remove their consent, they are urged to press the smaller button entitled “manage my settings” which brings users to a page where they can remove their consent for each section. If you click on “manage my settings”, you are then provided with further reasons why you should provide your consent, before being given the opportunity to withdraw consent.

The way Facebook has approached the GDPR has brought further criticism on the company, with critics stating that the approach taken makes it difficult for users to decline consent to certain applications, with the “I accept” button being larger and more colourful. When the GDPR comes into force, this approach may be not compliant because it is not as easy to withdraw consent as it is to give that consent. Furthermore, critics have stated that it appears to focus its efforts on getting user consent for its data collection practices rather than reducing the data it collects.

Next Steps for Data Privacy

With the introduction of these new settings, Facebook is taking steps to comply, but in some key areas does not appear to be applying more than the bare minimum of standards. Once the new legislation comes into force, different business sectors will start to establish normal market practice in respect of GDPR.  The one thing that remains clear is that data protection has become a topic of public interest and users will become increasingly aware of their rights.  Facebook and other big data companies will be closely watched in the months to come.