Facebook’s privacy policy breaches European law, report finds

Facebook Like

A report commissioned by the Belgian privacy commission has found that Facebook is acting in violation of European law, despite updating its privacy policy.

Related: Seven things we learned from Facebook's latest financial results

Conducted by the Centre of Interdisciplinary Law and ICT at the University of Leuven in Belgium, the report claimed that Facebook’s privacy policy update in January had only expanded older policy and practices, and found that it still violates European consumer protection law.

“Facebook’s Statement of Rights and Responsibilities (SRR) contains a number of provisions which do not comply with the Unfair Contract Terms Directive. These violations were already present in 2013, and they are set to persist in 2015,” wrote the authors.

According to the report, Facebook’s policies around profiling for third-party advertising do not “meet the requirements for legally valid consent”, while the social network “fails to offer adequate control mechanisms” with regard to the use of user-generated content for commercial purposes.

“Facebook places too much burden on its users. Users are expected to navigate Facebook’s complex web of settings in search of possible opt-outs,” wrote the authors. “Facebook’s default settings related to behavioural profiling or Social Ads, for example, are particularly problematic.”

The report also points out that there is no way to stop Facebook from collecting location information on users via its smartphone app other than to stop location access on the smartphone at the level of the mobile operating system.

“Users are offered no choice whatsoever with regard to their appearance in “sponsored stories” or the sharing of location data,” wrote the authors, stating that “users do not receive adequate information” to help them make informed choices where choices are available.

The authors continue: “We argue that the collection or use of device information envisaged by the 2015 data use policy does not comply with the requirements of article 5(3) of the EU e-Privacy Directive, which requires free and informed prior consent before storing or accessing information on an individual’s device.”

Facebook met with Bart Tommelein, the Belgian privacy minister, to discuss the report. The company claims that its privacy policy does not break Belgian data protection laws, according to reports.

Facebook is already being investigated by the Dutch data protection authority, which asked Facebook to delay rollout of its new privacy policy, and is being probed by the Article 29 working party formed of data regulators from individual countries across Europe, including the UK’s Information Commissioner’s Office.

“We recently updated our terms and policies to make them more clear and
concise, to reflect new product features and to highlight how we’re
expanding people’s control over advertising,” said a Facebook spokesperson. “We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates including this one­ with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.” ­

Powered by Guardian.co.ukThis article was written by Samuel Gibbs, for theguardian.com on Monday 23rd February 2015 12.50 Europe/Londonguardian.co.uk © Guardian News and Media Limited 2010