EU Eyes Facebook Privacy Practices, Are Other Social Media Next?

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sara Merken and Daniel R. Stoller

A European Commissioner’s warning to Facebook Inc. about its data collection practices is a tip-off to other social media companies to be clearer about what they do with users’ personal information, privacy attorneys said.

The EU’s new high-stakes data privacy regime, the General Data Protection Regulation, has been a sleeping giant since it took effect in May. Although European Justice Commissioner Vera Jourova wasn’t referencing the GDPR in her comments about Facebook, data collection transparency is a major underpinning of the EU’s new privacy regime.

Expect social media companies to test the waters because data enforcement is a real “threat to their business models,” Robert Cattanach, privacy partner at Dorsey & Whitney LLP in Minneapolis, told Bloomberg Law.

Companies that violate GDPR privacy standards can be subject to fines of up to four percent of annual revenue, or $1.63 billion in Facebook’s case.

Facebook tells users their data is used to improve their overall experience, but doesn’t tell them that it is also used for commercial purposes, Jourova said. She warned Facebook to change some of its terms and conditions by December to avoid sanctions.

Jourova’s warning is a reminder to social media and other companies that collect consumer data in the EU that they must be clear and transparent in their privacy policies or terms and conditions, privacy attorneys said.

“There is clearly a feeling that some of the most pioneering Silicon Valley companies, whilst having offerings that are hugely popular, are increasingly using personal data in ways that the average consumer may not understand,” Rafi Azim-Khan, leader of Pillsbury Winthrop Shaw Pittman LLP’s data privacy and cybersecurity practice in London, told Bloomberg Law.

Facebook updated its terms of service in May “and included the vast majority of changes the Consumer Protection Cooperation Network and the European Commission had proposed at that point,” a company spokesperson told Bloomberg Law Sept. 21. “Our terms are now much clearer on what is and what isn’t allowed on Facebook and on the options people have.”

Facebook’s spokesperson said the social media giant “will continue our close cooperation to understand any further concerns and make appropriate updates.”

Business Model Concerns

EU privacy officials have been concerned that social media companies’ data collection schemes may harm consumer’s online privacy, the EU’s top data protection supervisor told Bloomberg Law.

The EU has “said consistently that the dominant business model for web based services represents a systemic threat to people’s freedom and privacy online,” European Data Protection Supervisor Giovanni Buttarelli told Bloomberg Law in a Sept. 21 email. The consumer data is “monetised by means of profiling and targeting,” he said.

EU regulators “will try to move the needle” with enforcement against social media companies, but there is “enough incentive for them to not open the door” during investigations to expose the data they use, Cattanach said.

EU Regulators Zero In

Jourova’s Sept. 20 comments highlight how EU regulators and officials can use the GDPR to pressure Silicon Valley giants and other global technology companies, privacy attorneys said.

Transparency with customers about how their information is used has always been a requirement for companies in Europe, but the GDPR implements more granular obligations, Rohan Massey, who leads Ropes & Gray LLP’s privacy and cybersecurity practice in Europe, told Bloomberg Law Sept. 21 without commenting on any specific company.

All social media companies need to focus on transparency as they collect and gain monetary value from the massive amounts of EU citizen data they collect, privacy attorneys said. If they don’t follow GDPR transparency rules, the social media companies risk enforcement, they said.

“It is clear that the overall risk profile for tech companies in this area increased,” Jorg Hladjk, who leads Jones Day’s cybersecurity and privacy practice in Brussels, told Bloomberg Law Sept. 21.

Irish Facebook Probe

Ireland’s data protection authority is already probing Facebook. EU consumers say the company forced them to agree to new privacy policies without clear notice.

The EU consumer complaint, filed by Austrian privacy advocate Max Schrems’ group, NOYB, is being investigated by the Irish authority, which has the power to probe the company on an EU-wide basis under the GDPR.

The investigation is focused on Facebook’s transparency in the terms and conditions of use they convey to users and their data collection practices, Graham X. Doyle, spokesman for Irish Data Protection Commissioner Helen Dixon, told Bloomberg Law Sept. 21.

Request Bloomberg Law: Privacy & Data Security