Facebook’s European Privacy Problem

WHAT ARE YOU LOOKING AT?, originally uploaded by nolifebeforecoffee.

There is a suggestion in the Irish Times that Facebook Inc may be considering locating a European base of operations in Ireland. In that context it may be useful to consider the current situation regarding Facebook, its attendant applications and their use of Irish and

European users’ Personal Data. The main question is whether all of Facebook’s behaviour is in compliance with Europe’s Data Protection Law, and the extent to which that law may apply to either Facebook Inc or any of the controllers of the Applications which rely on its systems.

This discussion is intended to be readable by a non-lawyer but it is inescapable that some law has been quoted. Please bear with us though the legislative turbulence.

Data Protection’s Roots
The EU’s Data Protection Directives were introduced to eliminate potential inhibitions to trade arising from differing degrees of Data Protection in Member States. Directive 95/46 explicitly recognises the right to privacy contained in EU law and in the European Convention on Human Rights (ECHR). Breaches of that general right to Privacy are only acceptable if justified under the exceptions allowed for in Article 8 of the ECHR. See this informative posting by Thomas Otter for more background.

The Directives and the implementing Acts are intended to protect the personal data of EU citizens in a uniform manner across the EU. Personal Data is defined by Directive 95/46 Art 2(a) as

any information relating to an identified or identifiable natural person

What is the meaning of Processing in the context of the Directives?

Directive 95/46 defines it as including, but not being limited to

collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

Directive 95/4 Art (3)(2)(e) allows an exception for

processing of data carried out by a natural person in the exercise of activities which are wholly personal or domestic, such as correspondence and the holding of addresses.

It should be clear that a PR person dealing with their address book falls outside this exemption, but that it allows for private people to keep a gmail address book, and even perhaps to check it against membership of Facebook, provided that action is entirely personal or domestic. If a person is in a business where networking or keeping connections was required for their work, it is likely that this would fall outside the remit of the above exemption.

Part of The Establishment
Directives are high level legislation which set out what each member state must ensure is law in their jurisdiction. It is up to each member state to bring their laws into line with those aims in whatever form is most suitable for their legal system. In Ireland, the Data Protection Acts set out to whom their provisions apply. In Section 3B, they include entities established in the state. Facebook seems to fall within one of the definitions of an entity established in Ireland. (Section 3B (a)(ii))

makes use of equipment in the state for processing the data otherwise than for the purpose of transit through the territory of the State

I think one such piece of equipment, given the earlier quoted definition of processing as including “dissemination or otherwise making available” personal data, is sitting on my desk.

Facebook Inc already has an office in London. This also puts them within the alternate definition of “establishment” ( in the UK) in Section 3A (a) as having

an office, branch or agency through which he or she carries on any activity

But, one of the difficulties for transnational companies is that the Directive doesn’t allow them to pick just one EU country and comply with its Data Protection laws. Directive 95/46 Recital 19 puts an onus on a Data Controller established in multiple territories to fulfill the obligations of all those states.

One of Ireland’s obligations is that if a data controller is outside the EEA (which Facebook Inc is) and the data is processed inside this state (which, we’ve suggested above, happens with Facebook data) they must “designate a representative established in the State” (per the Data Protection Acts Section 3B(c)). I have not been able to find if Facebook has designated anyone as their representative in Ireland.

Consent by the person whose personal data is processed does not remove the duty to register as a data Controller or Processor.

Safe Harbour?
Thomas Otter, whose excellent article on Facebook and Data Protection I linked to above, refers to Facebook Inc as claiming “safe harbour” status. This is a method by which companies and organisations working in countries which have not been deemed to have adequate protection for data may export the data of European citizens to those countries. In effect these organisations pledge to meet the requirements of the Data Protection Directives themselves.

US Companies who want this status must register with the US Department of Commerce and have a Privacy Policy which complies with the terms of the Data Protection Directives. The problem for Facebook Inc is that they seem to have grown so quickly that their systems haven’t caught up with their compliance requirements in this area. For example, as reported by Channel Four News late last year, Facebook will resist requests to delete the Personal Data it holds when asked to do so by the data subject. Alan Burlison was the source of that report, and he outlines on his blog the responses he got from Facebook, and then, following his complaints, from the UK Information Commissioner and from Truste, a 3rd party who certifies compliance with European Safe Harbour requirements.

Here’s the response he initially received;

If you deactivate, your account is removed from the site. However,
we save all your profile content (friends, photos, interests, etc.), so
if you want to reactivate sometime, your account will look just the
way it did when you deactivated.

After Channel Four News came and interviewed him, he received a follow-up email;

We have permanently deleted your account per your request. We do
not retain any information about your account once it is deleted,
and thus deletion is irreversible.

This shows that compliance with the Data Protection principle that a person has a right to have information stored about them amended or erased is technically possible. It just isn’t policy. Which would put Facebook’s real data handling policies at odds with the claim to be a Safe Haven. Which in turn would raise the question of whether it is lawful for it to pass that data outsi0de EEA borders. Which, of course, is exactly what it potentially does every time a developer for the Facebook Platform creates an application.

Failure to comply with the provisions of the Data Protection Act is a criminal offence. If European users suffer a loss arising from unlawfully held personal data they would have grounds for an action against Facebook Inc. Facebook’s privacy policy shows that it is aware of the Data Protection Directives. This potential financial risk is something which they will know or ought reasonably to know about, it can be presumed. I can’t speak for Californian law, but here the common law burden of Director’s duties to their companies may leave those directors personally liable for losses which arise from a breach they ought to have reasonably avoided.

Applications, Complications

In all of this discussion, I’ve treated the Facebook Inc database as a single, unitary item. But, of course, pieces of it are passed to third parties when a Facebook member agrees to install an application. This agreement in total consisting of not unselecting a tickbox beside the statement “Allow [Application Name] to access my information.” It is arguable that this wouldn’t, by itself, be enough to constitute genuine consent.

Where are these third parties based? Certainly some of them are in Europe. We’re not privy to the terms of any given agreement between Facebook and an Application controller. Nonetheless, questions need to be raised about the data protection standards of the entities or people controlling these applications. Are they registered with the local Data Protection Commissioner in each state they are established? Are they all registered as Safe Harbours if they are based in the US? If not, what liability may attach to the developers or their employers arising from these applications in the case of any future claims?

Endnote
Data Protection law is a relatively new field. There is not a great deal of caselaw clarifying these matters. This puts anyone trying to apply it to a real world situation in the unhappy position of attempting to interpret the legislation- a task best left to judges. Nothing I say here should be taken as legal advice.

THE VIEWS AND COMMENTS EXPRESSED HEREIN ARE THOSE OF, AND PERSONAL TO, THE WRITER, AND ARE INTENDED FOR GENERAL DISCUSSION PURPOSES ONLY. THEY ARE NOT INTENDED TO BE RELIED UPON BY ANY PARTY. NO REPRESENTATION OR WARRANTY IS GIVEN AS TO THE ACCURACY OR CORRECTNESS OF SAME, NOR ARE THEY REPRESENTED AS CONTAINING (OR AS A SUBSTITUTE FOR) LEGAL ADVICE OR ASSISTANCE. NO LIABILITY WHATSOEVER (WHETHER IN CONTRACT, NEGLIGENCE, NEGLIGENT MISSTATEMENT OR OTHERWISE AT ALL) IS ACCEPTED TO ANY PERSON ARISING OUT OF ANY RELIANCE ON THESE VIEWS.