Europe’s Privacy Regulators vs Facebook
Data Protection Authorities of a number of European countries (notably, France, Spain, Belgium, Netherlands) has announced a formal action in the Facebook case. The announcement and summaries are available here. To tackle this particular issue DPAs formed a devoted Contact Group allowing a coordinated analysis. Pretty unprecedented move.
Few years ago, Belgian Privacy Commission has started to closely monitor the landscape surrounding Facebook. The affair is not over yet (it awaits a hearing in October 2017). Privacy researchers from Belgian Privacy Commission asked for help of academic privacy researchers. You can find some technical details here. The updated technical report by KU Leuven researchers can be found here.
These actions are substantial for a number of reasons, the first one is the scope.
First. Keeping in mind that the General Data Protection Regulation is not yet in force - Facebook has argued that its actions are subject to the Irish Data Protection Authority. Other EU countries - disagreed - and proceeded with an action.
Second. The technical details. I’m focusing on the details released by CNIL, who even decided to sanction Facebook with a 150,000 EUR fine (GDPR in principle - makes these much higher); the DPA of Netherlands is considering a similar move.
From the technology side CNILs’ ruling (here) is very interesting and sets the scene for next year’s GDPR.
CNIL spotted that:
- Facebook did not allow users to control which user data can be used by advertisers to target ads
- “dattr” cookie is back - CNIL points out that users have no knowledge or control over tracking when visiting websites that use FB’s social plugin. I remember that FB’s line of argument was something along the line that the “dattr” cookie is useful inc abuse/fraud detection, and that it’s a “privacy-preserving” mechanism.
We go more technical now.
CNIL has found that Facebook, “By using the web browser settings, do not allow users to validly oppose to cookies placed on their terminal equipment”.
It appears that CNIL wants to enforce websites to honour cookie blocking settings (or tracking settings). In this particular point, I reckon that it’s also about transparency: whether Facebook explains how the users may control cookies with browser settings. If that would be a general requirement aimed at all the websites, it would be very telling. I am not sure if this particular point concerns Do Not Track, the technical means of expressing tracking consent. Probably not.
Another point of interest is “Do not demonstrate the need to retain the entirety of IP addresses of users all along the life of their account.“
Technically speaking, CNIL wants Facebook to anonymise IP addresses. If I understand correctly, this request may be generalised. Consequently, the need to carefully assess when a system needs storing a full IP or not - would be a point for consideration for all the websites. I suspect that this particular point may end up being strictly enforced once the GDPR and later ePrivacy go in force.
Summary
That’s a very interesting development from a number of points: the scope and a territorial interpretation, the establishment of “Contact Group”, which signals stricter cooperation of DPAs. Finally - the technical requests.