Facebook at Work Platform Raises EU Privacy Concerns

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Marcus Hoy

Aug. 1 — Facebook Inc.'s corporate communications platform is running afoul of Norwegian privacy regulators and its standard contract terms might not meet European Union privacy standards, some regulators say.

Facebook at Work provides companies with a cloud-based internal communication system but the standard contract terms, particularly regarding worker consent, the regulators say. To overcome that potential problem, companies should seek contract amendments to protect privacy, government officials and privacy attorneys told Bloomberg BNA.

Facebook at Work

Norway's data protection authority raised a direct challenge to the privacy adequacy of Facebook at Work July 22 and made recommendations for changes that companies should seek from the social media giant. But it is unclear what influence the Norwegian privacy office's conclusions will have on other European privacy regulators.

Approximately 450 companies worldwide are using the platform, including the Royal Bank of Scotland, global public relations company Weber Shandwick, Century 21 Real Estate LLC and Norway's Telenor ASA and DNB ASA.

Facebook officials told Bloomberg BNA that the Menlo Park, Calif.-based company stands ready to discuss changes in individual contracts with its Facebook at Work clients.

Norway Regulator Raises Alarm

Facebook at Work likely violates Norwegian and European Union privacy laws, Norway's Data Protection Authority concluded after initially reviewing the use of the platform by some large Norway-based companies.

The privacy office shared its concerns after investigating the use of Facebook at Work by DNB ASA—the largest financial services company in Norway with a market capitalization as of Aug. 1 at 149.9 billion Norwegian kroner (approximately $17.7 billion), Bloomberg data show—and Telenor ASA, the eleventh largest telecommunications services company in the world—with a market capitalization as of Aug. 1 at 211.6 billion Norwegian kroner (approximately $24.9 billion) Bloomberg data show.

The privacy office is in discussions with DNB and Telenor regarding their use of Facebook at Work, Ove Skara, communications manager at the Norwegian privacy office, told Bloomberg BNA.

Torild Uribarri, director of communications and corporate affairs at Telenor Norway, told Bloomberg BNA that all of the telecommunication company's 36,000 employees in 13 nations were covered by a contract that was negotiated between Telenor ASA and Facebook at Work. After a review, the company concluded that Facebook at Work's general terms and conditions didn't fully adhere to Telenor's internal privacy policies, she said.

Norway isn't a member of the EU and it is unclear how much the finding's of its privacy regulator will influence privacy offices in the EU. Norway is a member of the European Economic Area and by treaty is obliged to generally follow EU privacy law.

Privacy officials in Denmark, Finland, Germany, Italy, Ireland, Sweden and the U.K. told Bloomberg BNA that they haven't received direct complaints about the platform and aren't planning to release Facebook at Work guidance.

Matthew Jones, communications executive at the Office of the Irish Data Protection Commissioner, said that Facebook at Work would be evaluated as part of the office's ongoing supervision of technology companies.

An Italian privacy office spokesman said that the office was involved in discussions with other European privacy regulators on the potential risks associated with the Facebook at Work platform

Privacy officials in Denmark, Finland and Sweden said companies should consult the offices' respective general guidances on Facebook and cloud services.

Worker Consent Issues

Companies should attempt to renegotiate the terms of use with Facebook at Work to better reflect privacy protections in relevant law, the Norway privacy office said.

If companies use Facebook at Work, they can't “consent on behalf of their employees to allow” Facebook to use “workplace communications to analyze users' behavior, interests and relationships,” Skara said.

Although Facebook at Work encourages dialogue on its terms and conditions, the privacy office said that all users must accept standard terms of use and privacy policies before they may create a user profile. These standard terms are “at times unclear” and may allow Facebook to use personal data for commercial purposes, the Norway privacy office said in a statement.

Arne Gerhards, press and public relations officer at the Hamburg Commissioner for Data Protection and Freedom of Information told Bloomberg BNA that in a company-wide Facebook at Work scenario “employees cannot from a legal point of view give free consent for the collection, processing or use of their personal data.”

“This restricts the scope of the data processing significantly. Furthermore, as controller, the employer is responsible for the processing of the data by Facebook,” Gerhards said. “Facebook as a processor hasn't any legal responsibility in relation to the employees. In the end, it is employers who have to ensure that the data protection and privacy concerns of their employees are met,” he said.

“From a legal point of view, it is essential that Facebook at Work is controlled by the company using the platform,” Gerhards said. “Companies using this service have to ensure that their legal and technical requirements are met by Facebook,” he said.

“The data processed by Facebook must be stored separately and that deletion of data by users is carried out immediately and efficiently by Facebook,” Gerhards said.

Facebook Open to Discussion

The platform is designed as a stand-alone service that allows employees and employers to communicate, share content and create internal networks, according to Facebook's description of the platform.

Vanessa Chan, a spokeswoman for Facebook, told Bloomberg BNA that companies are given the opportunity to sign individualized agreements with Facebook at Work. Data security issues, such as the data localization, may be addressed in negotiations over specific language in the contract, she said.

“While the specifics may vary from company to company, the standard terms and conditions agreements make clear that, like other cloud services, the company controls” its data, Chan said.

“These agreements also indicate that Facebook will not use client company's data to provide or target advertising to users or otherwise personalize their experience on their personal Facebook accounts,” she said.

“Facebook at Work is completely separate from personal Facebook,” Chan said. “Users will only see and share content from co-workers within their company.”

Challenge for Smaller Businesses

Christopher Sparre-Enger Clausen, technology transactions managing associate at the Oslo-based law firm Thommessen, told Bloomberg BNA that companies should follow the Norway privacy office's instructions to negotiate individual tailored contracts with Facebook.

The Norwegian privacy office's Skara said that the negotiation of suitable privacy-protecting terms and conditions with Facebook may be a challenge for small and medium-sized businesses.

“On the basis of our experience, we expect that some companies will uncritically accept the terms and conditions proposed by Facebook,” he said.

The Norwegian privacy office is encouraging Facebook to amend its terms and conditions to “comply with European and Norwegian privacy law,” Skara said.

Fredrik Dahl, an employment lawyer at the Stockholm-based Vinge law firm, agreed that smaller companies may find it difficult “to negotiate specific contract terms.”

But if more EU privacy regulators point out the issue, Facebook may move to change its general contract terms “so that customers will not be in breach of the law if they use the service.”

Clausen agreed that the process will be cumbersome for smaller companies but that as more engage with Facebook over specific privacy terms “it is likely that Facebook will update its data policy” to reflect the guidance of privacy regulators.

To contact the reporter on this story: Marcus Hoy in Copenhagen at correspondents@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Jimmy H. Koo at jkoo@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.