Facebook is in trouble over privacy again, and seems only to have itself to blame.
The European data protection authorities have for some time expressed concern about the activities of various social networking sites, and in June 2009 the so-called “Article 29 Working Party” (no – not a terrorist group but rather a collection of national data protection authorities from around the EU) issued an “Opinion on Online Social Networking” setting out its views on how European data protection laws will apply to a number of aspects of social networking. The Working Party followed this up in November 2009 with a hearing with three major social network service operators including Facebook.
The Working Party’s position on these matters is to emphasise the need for users to have default settings in which access to profile information and information about the user’s connections on the network is limited to elements specifically selected by the user; any further access should be an explicit choice of the user. The Working Party also required social network providers give users maximum control over how third-party applications can access their data, and warned providers against using personal data of a user’s connections for commercial purposes unless those connections themselves had given their free and unambiguous consent. European regulators also continue to press for users to be able to access social networking services under pseudonyms in order to preserve personal privacy, something which Facebook strongly resists.
What did Facebook do? Within days of the meeting Facebook changed the default settings so that a user’s profile information was automatically shared with partners such as Microsoft docs.com, Pandora and Yelp unless the user opted out. In a letter sent to 20 social network operators earlier this month the Working Party singled out Facebook and complained that its changes in policy were “unacceptable”. This may not seem like much, but when a body like the Working Party uses this sort of language it’s pretty strong stuff.
What the law says
Who’s right, Facebook or the regulators? Data protection law is generally harmonised throughout the EU in a way that provides a base level of protection for personal information, with some countries such as Germany then going beyond that level to provide even more protection (or restriction, depending on your point of view). A key basic principle is that in most situations an individual’s personal data should not be processed in any way without that individual’s consent. The key issue in the current Facebook dispute is what form that consent must take; Facebook’s position is that it offers a user default settings under which the user’s information is shared with third parties in a way designed to maximise the user’s benefit from the network, but always allowing the user to “opt out” and change the default settings to be more restrictive. The Working Party’s view is that each user must “opt in” to sharing his or her data in each of the ways on offer from the network. The Working Party speaks of “explicit choice” and of “free and unambiguous consent”.
The 1995 European Data Protection Directive on which all EU national data protection legislation must be based defines “consent” as “any freely given specific and informed indication” of wishes signifying agreement to personal data being processed, and such consent must be given “unambiguously”. There are in addition special rules applying to so-called “sensitive personal data” (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and details of a person’s health or sex life) under which “explicit consent” must be given.
In many cases a social network provider can reasonably assume that its users can read, and that when a user clicks “I accept” he or she has read and understood the profile settings on offer and has therefore consented freely and unambiguously as required by the Directive. But this assumption may not hold up if the settings are unduly complicated. According to BBC News Facebook’s privacy policy has 50 different settings and 170 options, with the policy being longer than the US Constitution. In such circumstances Facebook may find it difficult to show specific, informed and therefore unambiguous consent.
However, it does need to be remembered that these restrictions under data protection law apply only to “personal data” – data that in itself or when combined with other data available to the data processor identify an individual human being. Anonymised, aggregated data used by a social network provider do not fall under these restrictions.
Conclusion
Facebook does appear to have acted unwisely here, particularly in the light of ever tougher data protection laws in Europe. Whilst the Working Party does not have any enforcement powers itself, its members do. Earlier this year the UK adopted a new regime under which the Information Commissioner (the U.K.’s “data protection tzar” so to speak) was given new powers to impose administrative fines of up to £500,000 for breaches of data protection law. Whilst Facebook could afford such fines in the short term, the public relations impact may well cost it dearly in the long run.
The plain fact is that social networks as such are not incompatible with personal data privacy, the fundamental principle of which is that an individual should have control over how his or her personal data is used; any incompatibility is between those principles and the desire of those who run some of these networks to sell their users’ information to other businesses. They can do this, but only with appropriate consent.
© Taveners May 2010