The cited report (embedded below) is an updated version of an earlier document issued in February of this year.
According to The Guardian’s summary of EU privacy and consent rules, “EU privacy law states that prior consent must be given before issuing a cookie or performing tracking, unless it is necessary for either the networking required to connect to the service (‘criterion A’) or to deliver a service specifically requested by the user (‘criterion B’).”
Below is an edited, partial overview of complaints to Facebook’s policies raised in the report:
Given the limited information Facebook provides and the absence of meaningful choice with regard to certain processing operations, it is highly questionable whether Facebook’s current approach satisfies [EU consent] requirements.
[Facebook’s] current default settings with regards to behavioural profiling and advertising (essentially “opt-out”) remain problematic. According to the Article 29 Working Part, consent cannot be inferred from the data subject’s inaction with regard to behavioural marketing. As a result, Facebook’s opt-out system for advertising does not meet the requirements for legally valid consent. In addition, opt-outs for “Sponsored Stories” or collection of location data are simply not provided.
Unfair contract terms:
In comparison to 2013, Facebook’s new Statement of Rights and Responsibilities (SRR) has not changed substantially. However, our analysis shows that there are several clauses which violate European consumer protection law. Specifically, Facebook’s SRR contains a number of provisions which do not comply with the Unfair Contract Terms Directive.
Facebook combines data from an increasingly wide variety of sources (e.g., Instagram, Whatsapp and data brokers). By combining information from these sources, Facebook gains a deeper and more detailed profile of its users. Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes. The current practice does not meet the requirements for legally valid consent.
Facebook monitors its users in a variety of ways, both off and on Facebook. While Facebook provides users with high-level information about its tracking practices, we argue that the collection or use of device information envisaged by the 2015 DUP does not comply with the requirements of article 5(3) of the e-Privacy Directive, which requires free and informed prior consent before storing or accessing information on an individual’s device. Facebook also tracks non-users in a manner which violates article 5(3) of the e-Privacy Directive.
Accordingly the bulk of the objections can be boiled down to two or three categories:
- Opt-in vs. op-out
- User knowledge and consent to Facebook’s practices
In February when the preliminary report was made public Facebook said the following about being in compliance with European privacy laws:
We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising, . . . We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates including this one with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.