Grumblings about changes in Facebook’s layout and policies are standard practice for everyone familiar with the social media giant. But some European governments are taking Facebook’s practices more seriously. This week, interdisciplinary scholars and researchers in Belgium issued a draft report entitled “From social media service to advertising network: A critical analysis of Facebook’s Revised Policies and Terms.” The report is provisional, and “will be updated after further research, deliberation and commentary.”
The report was based on an “extensive analysis of Facebook’s revised policies and terms,” conducted “at the request of the Belgian Privacy Commission.” The Commission is part of a task force of European Union (EU) data protection authorities created specifically to address Facebook’s shifting policies, which also includes Germany and the Netherlands.
This thorough analysis is useful both because it provides an in-depth explanation of items of note in the newly revised 2015 terms and because it explains how the terms fit in with European law. To be fair, it’s not all bad, and the report reiterates some long-standing concerns, that have not been affected by recent changes. The report also notes that Facebook has improved the degree of clarity around how it uses data, though rather large holes remain.
Facebook’s data processing capabilities have increased both horizontally and vertically. By horizontal we refer to the increase of data gathered from different sources. Vertical refers to the deeper and more detailed view Facebook has on its users.
In particular, this expansion has happened because Facebook has acquired new companies like Instagram and Whatsapp, and because more and more websites use Facebook plug-ins and other services. The report also noted that much of how Facebook uses data is simply opaque.
Although Facebook’s privacy settings haven’t changed, the report notes that:
users are able to choose from several granular settings which regulate access by other individuals, but cannot exercise meaningful control over the use of their personal information by Facebook or third parties. This gives users a false sense of control.
That false sense of control is key, since the report emphasizes the many ways in which users cannot actually limit use of their data. What’s more, Facebook’s default settings for “behavioural profiling and advertising” do not constitute legally valid consent because “consent cannot be inferred from the data subject’s inaction,” and this concept of explicit consent, taken from applicable EU law, recurs throughout the report.
To be legally valid under European Union law, consent to processing and use of user generated data must be “freely given”, “specific”, “informed” and “unambiguous.” The report stresses, “it is highly questionable whether Facebook’s current approach satisfies these requirements.”
Facebook’s practices with regards to how it combines data from a variety of sources, and shares data with other parties are also of questionable legality, according to the report. For example, the report describes a use case in which Facebook combines its own data with data from third-party data brokers. The report notes “Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes,” which in the authors’ view, is insufficient to meet legal requirements.
Facebook’s use of user-generated content, such as photos, is also problematic. Facebook’s terms grant “a non-exclusive, transferable, sub-licensable, royalty- free, worldwide license” to Facebook to use such content. The report notes that this may contradict EU and Belgian law, and has been held “invalid and therefore not enforceable under German Law.” Similarly, “[i]ndividuals have the right control use of their image,” but the lack of clarity in Facebook’s terms and settings makes this hard to do. That’s why the report recommends that users should be specifically required to opt-in to using their images for ads.
Unfair Contract Terms
In addition to the concerns noted above with how Facebook utilizes user data, the report indicates that some portions of Facebook’s terms may violate European consumer protection law, in particular the Unfair Contract Terms Directive (UCTD).
One stands out: Facebook’s right to stop providing access to Facebook without warning. Although the terms indicate that Facebook will notify users by email or the next time a user tries to log in, under the UCTD, “terms that enable ‘the seller or supplier to terminate a contract of indeterminate duration without reasonable notice except where there are serious grounds for doing so’ may be unfair.
As we’ve noted before, Facebook has terminated or suspended many accounts under its names policy. One of the things that users find especially frustrating is the experience of attempting to log in and not being able to access content they may have spent years amassing—all because they weren’t given a warning. Under European law, Facebook’s method of dealing with name violations may not be simply unfair. It may actually be illegal.
In addition to concerns about termination, the report several other problematic terms. It points out that Facebook's terms require disputes to be settled in California, under California law, even though the company has offices in three EU member states.This is likely unlawful under European Parliament regulations. Also, under the UCTD, the terms that limit Facebook's liability to $100, disclaim any warranty for content and software, and reserve the right to unilaterally change the terms themselves, are all likely unlawful. Lastly, the clause that "obliges users to indemnify Facebook for any expenses incurred, including legal fees, as a result of a violation of the terms of service" is unlawful in some EU countries.
Tracking and location data
Finally, the report notes that Facebook has increased the ways in which it collects data from users beyond cookies, and collects locational data from a wide variety of sources.
Although Facebook is more explicit in the 2015 terms about gathering locational data, it remains “vague and broad” in its description of what it will do with that data. And that’s a big gap. Users have only the choice to turn access to location data like GPS and WiFi off or on once in the mobile app; they can’t share location data for some purposes but not others. What’s more, Facebook may collect location data not only through explicit means like GPS, but also through other means like the location data in a photograph—and there are no settings that address this. The report recommends offering “granular in-app settings for sharing of location data, with all parameters turned off by default,” and minimizing collection of location data in the first place.
When it comes to tracking, Facebook tracks users through several means, including social plug-ins, fingerprinting, and mobile apps. Social plug-ins are things like Facebook’s “like” button on a news organization’s page. While outside websites can limit the degree of tracking done by plug-ins, the report concludes that Facebook’s current scheme doesn’t provide for legal consent, and that “Facebook should design its social plug-ins in way which are privacy-friendly by default.”
Other forms of tracking are also of questionable legality. Facebook’s practice of fingerprinting (using a different information like operating system and browser settings to create a “fingerprint” of a device) requires collection and use of device information that is likely not legal under article 5(3) of the e-Privacy Directive. And because tracking through apps can only be controlled by opting-out, like other areas where this is the only option, the report concludes that Facebook’s terms don’t “provide for legally valid consent” in this area, either.
Facebook isn’t going away anytime soon, but users should be clear on how the social media giant really operates. You can read the entire report here [PDF]. Hopefully Facebook is reading it too, and plans to address the serious issues raised. We've already given them a few suggestions on how to do so.
- 1. Specifically, the report noted the Unfair Contract Terms Directive, the work of the Article 29 Working Party, and the e-Privacy Directive.