Tag: Facebook

High Court dismisses Facebook’s procedural complaints in Data Transfer Case

18. May 2021

On Friday, May 14th 2021, the Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission regarding data transfers from the EU to the U.S. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.

If finalized, the preliminary decision could force the social-media company to suspend sending personal information about EU users to Facebook’s servers in the U.S. While the decision of the High Court was only a procedural one, experts warn that the logic in Ireland’s provisional order could apply to other large tech companies that are subject to U.S. surveillance laws. This could potentially lead to a widespread disruption of trans-Atlantic data flows.

Facebook addressed the preliminary decision, stating that Friday’s court decision was procedural and that it planned to defend its data transfers before the Irish Data Protection Commission (DPC). It added that the regulator’s preliminary decision could be “damaging not only to Facebook, but also to users and other businesses.”

However, the Irish DPC still needs to finalize its draft decision ordering a suspension of data transfers and submit it to other EU privacy regulators for approval before it comes into effect. That process could take months, not counting potential other court challenges by Facebook.

Irish DPC launches investigation into Facebook data leak

26. April 2021

On April 14th, 2021, Ireland’s Data Protection Commission (DPC) announced it launched an investigation into Facebook’s data leak reported earlier this month (please see our blog post here). The inquiry was initiated on the Irish DPC’s own volition according to section 110 of the Irish Data Protection Act. It comes after a dataset of 533 million Facebook users worldwide was made available on the internet.

The Irish DPC indicated in a statement that, “having considered the information provided by Facebook Ireland regarding this matter to date, the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data”. The Irish DPC further stated that they had engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance, to which Facebook Ireland furnished a number of responses.

The launch of an investigation by the Irish authorities is significant due to the fact that Ireland remains home to Facebook’s European headquarters. This means the Irish DPC would act as the lead regulator within the European Union on all matters related to it. However, Ireland’s data watchdog has faced criticism from privacy advocates for being too slow with its GDPR investigations into large tech companies. In fact, the inquiry comes after the European Commission intervened to apply pressure on Ireland’s data protection commissioner.

Facebook’s statement on the inquiry has been shared through multiple media, and it has announced that Facebook is “cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

Facebook data leak affects more than 500 million users

7. April 2021

Confidential data of 533 million Facebook users has surfaced in a forum for cybercriminals. A Facebook spokesperson told Business Insider that the data came from a leak in 2019.

The leaked data includes Facebook usernames and full name, date of birth, phone number, location and biographical information, and in some cases, the email address of the affected users. Business Insider has verified the leaked data through random sampling. Even though some of the data may be outdated, the leak poses risks if, for example, email addresses or phone numbers are used for hacking. The leak was made public by the IT security firm Hudson Rock. Their employees noticed that the data sets were offered by a bot for money in a hacking forum. The data set was then offered publicly for free and thus made accessible to everyone.

The US magazine Wired points out that Facebook is doing more to confuse than to help clarify. First, Facebook referred to an earlier security vulnerability in 2019, which we already reported. This vulnerability was patched in August last year. Later, a blog post from a Facebook product manager confirmed that it was a major security breach. However, the data had not been accessed through hacking, but rather the exploitation of a legitimate Facebook feature. In addition, the affected data was so old that GDPR and U.S. privacy laws did not apply, he said. In the summer of 2019, Facebook reached an agreement with the U.S. Federal Trade Commission (FTC) to pay a $5 billion fine for all data breaches before June 12, 2019. According to Wired, the current database is not congruent with the one at issue at the time, as the most recent Facebook ID in it is from late May 2019.

Users can check whether they are affected by the data leak via the website HaveIBeenPwned.

CJEU Advocate General’s opinion on GDPR’s One-Stop-Shop mechanism

26. January 2021

On January 13, 2021, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) published an opinion in the case of Facebook Ireland Limited, Facebook INC, Facebook Belgium BVBA v the Belgian Data Protection Authority “Gegevensbeschermingsautoriteit” (“Belgian DPA”), addressing the General Data Protection Regulation’s (“GDPR”) One-Stop-Shop mechanism.

In 2015, the Belgian DPA initiated several legal proceedings against Facebook Group members in local courts. The allegation was that Facebook placed cookies on devices of Belgian users without their consent, thereby collecting data in an excessive manner. Facebook argued that with the GDPR becoming applicable in 2018, the Belgian DPA lost its competence to continue the legal proceedings, as Facebook’s lead supervisory authority under the GDPR is the Irish Data Protection Commission. The Belgian Court of Appeal referred several questions to the CJEU, including whether the GDPR’s One-Stop-Shop regime prevented national DPA’s from initiating proceedings in the national courts when it is not the lead DPA.

The AG responded that, in his opinion, the lead DPA has the general jurisdiction over cross-border data processing, while a national DPA may exceptionally bring proceedings before its own national courts. The national DPA’s right is subject to the One-Stop-Shop regime and cooperation and consistency mechanism of the GDPR. Thus, each national DPA has the competence to initiate proceedings against possible infringements affecting its territory, the significant regulatory role of the lead DPA limits this competence with respect to cross-border data processing.

One of the concerns expressed by the Belgian DPA was the risk of insufficient enforcement if only lead DPA’s may act against organizations that do not comply with the GDPR. In this regard, the GA emphasizes that Art. 61 GDPR specifically provides for appropriate mechanisms to address such concerns. National DPA’s have the possibility to ask the lead DPA for assistance in investigations, and if such assistance is not provided, the national DPA concerned may take action itself.

In certain circumstances, the AG sees the possibility for national DPAs not acting as lead DPA to initiate proceedings before their national court, if

  • the DPA is acting outside of the material scope of the GDPR; e.g., because the processing does not involve personal data;
  • cross-border data processing is carried out by public authorities, in the public interest, or to comply with legal obligations;
  • the processor is not established in the EU;
  • there is an urgent need to act to protect the rights and freedoms of data subjects (Art. 66 GDPR);
  • the lead DPA has decided not to process a case.

With regards to data subjects, the AG notes that data subjects can bring action against any controller or processor before the court of their Member State and may file a complaint with their Member State’s DPA, regardless of which Member State’s DPA is the lead DPA.

The AG’s opinion is not legally binding on the CJEU, although the CJEU will take it into account. A final judgment of the CJEU is expected in the coming months. Thereafter, the Belgian Court of Appeal will have to decide its case in accordance with the CJEU’s judgment. The CJEU’s decision will most likely have a lasting impact on the division of roles between lead DPAs and other national DPAs, as well as on the ability of national DPAs to take enforcement actions into their own hands.

WhatsApp’s privacy policy update halted

22. January 2021

Already at the beginning of December 2020, first indications came up signaling that WhatsApp will change its terms of service and privacy policy. Earlier this year, users received the update notice when launching the app on their device. It stated that the new terms concern additional information on how WhatsApp processes user data and how businesses can use Facebook hosted services to store and manage their WhatsApp chats. The terms should be accepted by February 8th, 2021, to continue using the chat service. Otherwise, the deletion of the account was suggested, because it will not be possible to use WhatsApp without accepting the changes. The notice has caused all sorts of confusion and criticism, because it has mistakenly made many users believe that the agreement allows WhatsApp to share all collected user data with company parent Facebook, which had faced repeated privacy controversies in the past.

Users’ fears in this regard are not entirely unfounded. As a matter of fact, outside the EU, WhatsApp user data has already been flowing to Facebook since 2016 – for advertising purposes, among other things. Though, for the EU and the United Kingdom, other guidelines apply without any data transfer.

The negative coverage and user reactions caused WhatsApp to hastily note that the changes explicitly do not affect EU users. Niamh Sweeney, director of policy at WhatsApp, said via Twitter that it remained the case that WhatsApp did not share European user data with Facebook for the purpose of using this data to improve Facebook’s products or ads.

However, since the topic continues to stir the emotions, WhatsApp felt compelled to provide clarification with a tweet and a FAQ. The statements make it clear once again that the changes are related to optional business features and provide further transparency about how the company collects and uses data. The end-to-end encryption, with which chat content is only visible to the participating users, will not be changed. Moreover, the new update does not expand WhatsApp’s ability to share data with Facebook.

Nevertheless, despite all efforts, WhatsApp has not managed to explain the changes in an understandable way. It has even had to accept huge user churn in recent days. The interest in messenger alternatives has increased enormously. Eventually, the public backlash led to an official announcement that the controversial considered update will be delayed until May 15th, 2021. Due to misinformation and concern, users shall be given more time to review the policy on their own in order to understand WhatsApp’s privacy and security principles.

Apple to delay iOS 14 Ad Tracking Changes

9. September 2020

In an update from Apple on Thursday, 3rd of September 2020, it was announced that some of the plans that were supposed to be launched in the new iOS 14 update are being delayed. The new feature of iOS developers having to request permission from app users before collecting their data for ad tracking is being pushed back to the beginning of 2021.

This and other features are seen as a big step towards users’ privacy, which you can read up on in our previous blogpost, but they have been criticised by app developers and big tech giants alike.

The permission feature was supposed to change the way users’ privacy is being accessed, from the current opt-out method to an opt-in one. “When enabled, a system prompt will give users the ability to allow or reject that tracking on an app-by-app basis,” stated Apple.

However, this will be delayed until early next year, due to the fact that the changes would affect a large amount of the platforms’ publishers, which rely strongly on ad tracking revenue. Facebook criticized the changes and announced that some of their tools may lose efficiency, and hence cause problems for smaller app developers. To combat this issue, Apple said: “We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year.”

In recent years, Apple has taken its users’ privacy more seriously, launching new adjustments to ensure their right to privacy is being integrated in their devices.

„We believe technology should protect users’ fundamental right to privacy, and that means giving users tools to understand which apps and websites may be sharing their data with other companies for advertising or advertising measurement purposes, as well as the tools to revoke permission for this tracking,” Apple emphasized.

Category: EU · GDPR · General
Tags: , , ,

Apple’s new iOS Update will enhance Privacy Features

31. August 2020

At its Worldwide Developers Conference 2020 back in June, Apple announced new privacy features coming in a future iOS 14 update for its devices. These updates, coming in the fall, are supposed to include more control of sharing location data and indicators when an app is using the microphone or camera.

The updates mean that it will be further possible to limit how much location information is shared with apps, only allowing it to share approximate data rather than the devices precise location. Apple also introduced labels for app permissions to inform people how much data an app requests, before they even download them. The feature will show people those labels in two categories, on “Data Linked To You” and “Data Used to Track You“. However, this will have to be provided by the app developers themselves, leaving grey areas open.

“For food, you have nutrition labels,” said Erik Neuenschwander, Apple’s user privacy manager. “So we thought it would be great to have something similar for apps. We’re going to require each developer to self-report their practices.”

Further, the privacy updates also incorporate the Safari browser, allowing for a report on privacy while surfing the internet through the use of a “privacy report” button. It will allow the overview of all third-party trackers through one click, and allow the user to block them directly.

Apple also moved from the opt-out standard for apps using the user’s personal data to an opt-in scheme, requiring the active consent of the users in order to allow the use of their data.

While this is a positive development for all Apple users, Facebook states that it sees issues for small developers having to face these new privacy settings.

In a blog post, Facebook said it was making a change to its own apps, which in addition to its flagship app also include WhatsApp and Instagram, that would likely spare them from having to ask iPhone users for data-tracking permissions that many advertising industry insiders believe users will refuse. Facebook also stated it was making changes due to Apple’s new privacy rules that could hurt smaller developers that use a Facebook tool for serving apps in third-party apps.

Overall, Apple’s new privacy rules are a welcomed changes for its users, handing them further control over their own personal data.

Regional Court of Vienna judges in Schrems against Facebook case

6. July 2020

On June 30th, 2020, the Vienna Regional Court passed judgement in the case of Max Schrems against Facebook Ireland Limited, in the case number 3 Cg 52/14k-91 (in German). In the following, we will be presenting the case and the court’s judgement.

Facts of the case

In the years 2011, 2012, 2013, 2015 and 2019, the plaintiff submitted requests for information in accordance with Art. 15 GDPR. The defendant initially responded to these requests with an 18-page pdf file dated 09.06.2011 and a CD with further pdf files of 1,222 A4 pages. Despite the information provided, the plaintiff felt that his rights as stated by the GDPR had been violated, as none of the consecutive requests had been answered. From his point of view, the information provided was neither sufficient in terms of content nor was the number of responses in relation to the number of requests made sufficient for him.

Furthermore, the plaintiff was concerned by the data processing by third parties, about which he received no clear information. He also stated that he was “Controller” in the sense of the GDPR. The defendant had not fulfilled the resulting requirements, as Data Processor, of concluding a Data Processing Agreement with the plaintiff. Finally, the defendant had violated Art. 9 GDPR by failing to obtain consent in respect of his interests and further sensitive data, for which the plaintiff demanded injunction for future data processing.

Guiding principles of the judgement

The Regional Court judged on the following guiding principles in the case:

  • the defendant must provide the plaintiff with complete information in writing and free of charge within fourteen days about all personal data of the plaintiff processed by it, stating the exact origin and, if applicable, the exact recipients of the data,
  • and pay the applicant the sum of EUR 500 in damages within fourteen days.

Reason for decision

The regional court’s guiding principles on the case were the only points in the plaintiff’s claim in which they judged in his favour. The court has stated that the tools used and information given by the defendant to inform the plaintiff about the processed personal data is not enough to meet the requirements of Art. 15 GDPR’s right of access. This results in a lack of control of the plaintiff over his own personal data, which goes against his fundamental right to data privacy. Therefore, the court has ruled damages in the sum of EUR 500 as adequate compensation for the infringement of Mr. Schrems’ privacy.

Regarding Mr. Schrems’ other points, the court ruled that because the plaintiff uses the Facebook platform in light of private/family activities, he cannot be a Controller of the processed personal data due to the fact that according to Art. 2 II lit.c GDPR, the regulation does not apply to him. This also applies to social media and online networks, as mentioned in Recital 18. Therefore, Facebook is not a Data Processor in the terms of those private activities and purposes, which negates the requirement of a Data Processing Agreement according to Art 28 GDPR.

Further, the court sees no sensitive data in the lines of Art. 9 GDPR to be at risk. In light of the personalisation of the platform, such as personalized ads and suggestions, the court stated that this belongs to the core of the defendant’s business activities. As such, there is no consent needed, as the defendant states that the processing of the data is for the purpose of a contract. The plaintiff, according to the court, has entered into such a contract knowing of the terms of service and on his own behalf in order to use the platform’s services. An injunction regarding the future processing of such personal data is therefore not to be applied.

Assessment

Overall, the Regional Court’s judgement has only a minimal practical relevance, as it is hard to fully assess the consequences of the passed judgement. One can neither say how the conduct will affect the future management of the company, nor is it certain whether the judgement will even become final in the first place. However, the plaintiff has already announced on NOYB’s homepage that he will lodge an appeal, and it therefore will remain to be seen what practical relevance can be drawn from the case in the future.

Facebook releases new Privacy Tool for global use

31. January 2020

On Data Privacy Day, Facebook launched its new privacy tool, which gives its users control over how they are tracked across the net.

In a blog post, Facebook CEO Mark Zuckerberg introduced its “Off-Facebook Activity” tool, which had been promised since May 2008, to social network’s worldwide audience. It originally had slow roll-outs throughout different countries since August 2019, but is now officially available globally.

Facebook is known for its vast reaching tracking of internet activity, ranging from doorbell apps over sellers’ websites to health apps. It had been criticized by law-makers for its tracking practices, especially considering the social network keeps tracking your data when you deactivate your account.

Now, wanting the start into the new decade to be more privacy oriented, Mark Zuckerberg is prompting Facebook users to review their privacy settings. On top of deleting your tracking history, it is now possible to turn off future tracking altogether. Though it is important to keep in mind that Facebook does not stop advertisers and businesses from targeting ads based on other factors.

Overall, the tool is supposed to complement Facebook’s Privacy Checkup feature, to allow for users to regulate their privacy more thoroughly, and more importantly, on their own terms.

Facebook collects location data despite deactivation

19. December 2019

Facebook has admitted at the request of several US senators that they continuously collect location data, even if the user previously deactivated this feature.

In case of deactivating this feature, location data is collected, for example, by IP address mapping or user activity. This includes, for example, a self-conducted location-tag in a certain restaurant or at a special location, but also the case of being linked by friends to a photo that contains a location-tag.

In the letter that Senator Josh Hawley published on Twitter, Facebook states that they have only the best intentions in collecting the data. According to the statement, this is the only way, for example, to place personalized ads or inform a user when someone logs in to a completely different location than usual with their account.

While Facebook states that the location data – based on e.g. the IP address –  does not indicate an exact Location but only the postcode, for example, it means that there is no way for users to opt-out of the collection of location data.

Category: General
Tags: ,
Pages: 1 2 3 4 5 Next
1 2 3 5