New Facebook Policy Violates EU Law, Report for Belgian Privacy Regulator Says

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Stephen Gardner

Feb. 23 — An updated Facebook privacy policy that took effect at the end of January contravenes European Union data protection law on a number of points, according to a Feb. 23 draft advisory report commissioned by Belgium's data protection authority, the Belgian Privacy Commission.

The draft report, prepared by the Interdisciplinary Centre for Law and Information and Communications Technology (ICRI) at Belgium's Leuven University, said that it was “highly questionable” whether Facebook's approach to securing consent for data processing resulted in legally valid user consent.

To be legally valid, user consent must be freely given, specific, informed and unambiguous, as required under the EU Data Protection Directive (95/46/EC), the ICRI said in questioning Facebook's policy.

In particular, Facebook's system by which users can opt out of behavioral profiling and advertising “does not meet the requirements for legally valid consent,” and users are given no ability to opt out from processing of their location data, the draft report said.

It added that Facebook also gives insufficient control to users over how their data from a variety of sources, including from data brokers and applications, are combined “in relation to profiling for third-party advertising purposes,” and that Facebook's terms “do not properly acknowledge the data subject rights of its users.”

In addition, Facebook's collection of data, particularly geolocation information, from mobile devices is likely to be noncompliant with the EU e-Privacy Directive (2002/58/EC), while several clauses of Facebook's contract terms violate European consumer protection law, the report said.

Investigation Ongoing 

The Belgian Privacy Commission asked the university institute to draft the report as part of an investigation into Facebook's privacy policy, which the commission is carrying out in liaison with Dutch and German data protection authorities.

Sarah Boulerhcha, a Belgian Privacy Commission spokeswoman, told Bloomberg BNA Feb. 23 that it was unclear when the investigation report would be completed and formally handed over to the privacy commission.

The Belgian privacy commissioner sent questions to Facebook about its new privacy policy and is awaiting a reply, Boulerhcha said.

The university institute said in a Feb. 23 statement that privacy policy changes introduced by Facebook in January “weren't all that drastic” and were “simply old practices made more explicit.”

Facebook “places too much burden on its users,” who are “expected to navigate Facebook's complex web of settings … in search of possible opt-outs,” the university institute said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

The draft report, “From Social Media Service to Advertising Network: A Critical Analysis of Facebook's Revised Policies and Terms,” is available at http://www.law.kuleuven.be/icri/en/news/item/facebooks-revised-policies-and-terms-v1-1.pdf.