Tag Archives: Facebook

Why did Facebook just receive (one of) the biggest data protection fine(s) on record

The Spanish Data Protection Authority announced today that they fined Facebook with 1,2 million euro for several breaches of the Spanish Data Protection Law. Here’s a brief note in English from Politico.eu and the full press release of the Spanish DPA (in ES).

As per my knowledge, this is the biggest fine issued by a Data Protection Authority in Europe for breaches of data protection law (as always, please correct me in comments below and I will make the changes. UPDATE: It’s worth noting that the Italian Garante, in an investigation conducted in conjunction with Guarda de Finanza – a specialised body inquiring financial criminal conduct, issued in February this year a total sum fine of 5.8 mil euro to a company that was transferring money from Italy to China on behalf of persons without their knowledge, which also meant that they were processing personal data without consent. The total sum fine was reached by adding fines for unlawfully processing data of every person affected).

According to the press release, the Spanish DPA found two “serious breaches” and one “very serious breach” of the Spanish Data Protection Law. This investigation is a part of a joint initiative of a Contact Group composed of the DPAs from Belgium, France, Hamburg and The Netherlands.

So what prompted this record fine?

According to the press release (Please note that all quotes are unofficial translation, made by me, so they must not be relied on for legal advice. UPDATE: An official press release is now available in English):

  • Personal data on political views, religious beliefs, sex, personal preferences or location data are collected directly, via mere interaction of the data subject with Facebook services or with third-party webpages, without clearly informing the user about the use and the purposes of collecting this data.
  • Facebook does not obtain unequivocal consent, specific and informed, from users to process their data, because it does not properly inform data subjects.

Each of the serious breach was fined with 300.000 EUR and the very serious breach was fined with 600.000 EUR.

The very serious breach was that “the social network processes special categories of data for marketing purposes, among others, without obtaining explicit consent of users, as requested by the data protection law”.

“The investigation allowed to prove that Facebook does not inform users in an exhaustive and clear manner about the data that they are going to collect and the processing operations they are going to engage in with that data, limiting themselves to only giving some examples. In particular, the social network collects other data derived from the interaction carried out by users, both on the platform itself and on third-party websites, without them being able to clearly perceive the data that Facebook collects about them, or the purposes for which the data is collected”, according to the press release.

The DPA also took into account that “users are not informed on how their data are processed through the use of cookies – some of them used exclusively for marketing purposes and some of them used for a purpose that the company categorised as “secret”, when they are accessing web pages that are not of the company but that contain the “Like” button”. The DPA mentions as well the situation of users that are not registered with the social platform, but visit at one point one of the platform’s pages – their data is also retained by the social network.

The DPA also found that “the privacy policy contains general formulations that are not clear, and it obliges the user to access a multitude of links to be able to read it”. On one hand, the DPA notes, a Facebook user with an average knowledge of how new technology works is not able to acknowledge to the full extent the collection of data, how it’s subsequently used, or why it is used. On the other hand, the non-users are not at all able to be aware of how they’re data is used.

Finally, the DPA also referred to the fact they were able to prove that Facebook does not delete data that it collects on the basis of online browsing habits of users, retaining it and reutilising it associated with the same user. “Concerning data retention, when a user deletes their account and asks for deletion of data, Facebook retains and processes data for another 17 months through a cookie. This is why the DPA considers that the personal data of users are not completely deleted neither when they stop being necessary for the purposes they were collected, nor when the user explicitly require their deletion“.

This decision comes to show, yet again, how important transparency is towards the data subject! As you will also see soon in my commentary of the Barbulescu v Romania judgment of the ECHR Grand Chamber of last week, correctly and fully informing the data subject is key to data protection compliance.

 

Advertisements

Study: How Your Facebook Privacy Settings Impact Graph Search

www.cio.com published an article today which tries a privacy impact assessment of the new Graph Search of Facebook.

After much buzz and anticipation over its “top-secret” announcement today, Facebook revealed a new search capability called Facebook Graph Search.

The feature, which is currently available in a limited beta release, lets you search for friends, photos, restaurants, games, music and more. Results that Facebook returns will depend on your friends’ privacy settings and the privacy settings of people you’re not connected to.

Graph Search is available only in English and if you want to sign up for the waitlist for Graph Search, visit facebook.com/graphsearch.

“When Facebook first launched, the main way most people used the site was to browse around, learn about people and make new connections,” writes Tom Stocky, director of product management and Lars Rasmussen, director of engineering, in a press release. “Graph Search takes us back to our roots and allows people to use the graph to make new connections.”

Graph Search will appear as a bigger search bar at the top of each page. At todays press conference, Facebook CEO Mark Zuckerberg made a point of explaining the difference between traditional Web search and Graph Search; the two are very different, he says.

According to Facebook, Web search is designed to take a set of keywords and provide the best possible results that match those keywords. Graph Search, the company says, lets you combine phrases—such as “movies my friends like”—to find that set of people, places, photos or other content that’s been shared on Facebook.

Another difference: every piece of content on Facebook has its own audience, and Facebook has built Graph Search with that privacy in mind, it says. “It makes finding new things much easier, but… (read the whole story HERE).

 

 

Is it really necessary? Credit Bureaus intend to follow you on Facebook

thelocal.de reports that Germany’s biggest credit bureau Schufa plans to tap social networks such as Facebook and Google Street View in a huge data trawl for personal information to use in deciding whether a person is credit-worthy.

I recently started to look Euro-wide on credit bureaus practices regarding privacy and data protection, and what I have found is that credit bureaus – which are most often private entities, place themselves in this we-don’t-care-about-your-privacy-rights bubble and nobody complains about it! I discovered that there is no common EU policy for credit bureaus, hence they function under self-determined rules which lead to such different practices. For instance, some credit bureaus retain your personal data for 6 months and other retain it for 10 years. Plus, you never know which kind of data they gather!

Hence, this piece of news is quite interesting.

“A joint investigation by radio station NDR Info and Die Welt newspaper unearthed internal papers about the establishment of a “Schufa Lab” research group to work out how to link information found on the Internet with other details about personal credit rating.

Schufa is a privately-held credit bureau – by far the biggest in the country. It confirmed cooperation with the Hasso-Plattner Institute for software systems technology (HPI) in Potsdam on the project.

Ideas which will be discussed and examined include using profiles on services such as Facebook, Xing and Twitter in order to get addresses, Die Welt reported on Thursday. Property rental and sale sites such as immoscout24 or mobile.de could also be used, the paper said.

The statistical linking of particular personal characteristics to ability or willingness to pay off loans could also be part of the research, while detailed information will be gathered in the huge data trawl.

Both the HPI and Schufa stressed that the research would be conducted according to the highest ethical standards, and that everything would be published after a three-year work period.

The more concrete plans of Schufa were contained in a second paper, Die Welt said. This included the idea that, “Information generated from the web would be linked by Schufa with other information and analysed from a business perspective.””

You can read the whole story HERE.

 

Americans are getting more privacy savvy on Facebook

Whether it’s pruning friends lists, removing unwanted comments or restricting access to their profiles, Americans are getting more privacy-savvy on social networks, a new report found, cited by Boston.org.

The report released Friday by the Pew Internet & American Life Project found that people are managing their privacy settings and their online reputation more often than they did two years earlier. For example, 44 percent of respondents said in 2011 that they deleted comments from their profile on a social networking site. Only 36 percent said the same thing in 2009.

Among other findings:

— Women are much more likely than men to restrict their profiles. Pew found that 67 percent of women set their profiles so that only their “friends’’ can see it. Only 48 percent of men did the same.

— Think all that time in school taught you something? People with the highest levels of education reported having the most difficulty figuring out their privacy settings. That said, only 2 percent of social media users described privacy controls as “very difficult to manage.’’

— The report found no significant differences in people’s basic privacy controls by age. In other words, younger people were just as likely to use privacy controls as older people. Sixty-two percent of teens and 58 percent of adults restricted access to their profiles to friends only.

— Young adults were more likely than older people to delete unwanted comments. Fifty-six percent of social media users aged 18 to 29 said they have deleted comments that others have made on their profile, compared with 40 percent of those aged 30 to 49 and 34 percent of people aged 50 to 64.

— Men are more likely to post something they later regret. Fifteen percent of male respondents said they posted something regrettable, compared with 8 percent of female respondents.

Read the whole story HERE.

Facebook could face €100,000 fine for holding data that users have deleted. And it all started from a 24 year old student!

The Guarding writes today one of my kind of stories: a little guy taking things in his own hands and fighting back against giants. And this happens in the data protection universe 😉

Max Schrems, 24, decided to ask Facebook for a copy of his data in June after attending a lecture by a Facebook executive while on an exchange programme at Santa Clara University in California.

Schrems was shocked when he eventually received a CD from California containing messages and information he says he had deleted from his profile in the three years since he joined the site.

After receiving the data, Schrems decided to log a list of 22 separate complaints with the Irish data protection commissioner, which next week is to carry out its first audit of Facebook. He wrote to Ireland after discovering that European users are administered by the Irish Facebook subsidiary. A spokeswoman for the commissioner confirmed its officers would be investigating alleged breaches raised by Schrems as part of the audit. If the commissioner decides to prosecute and Facebook or any employees are found guilty of data protection breaches, the maximum penalty is a fine of €100,000.

What bedazzles me is the kind of data Facebook stores about its users!

Among the 1,200 pages of data Schrems was sent were rejected friend requests, incidences where he “defriended” someone, as well as a log of all Facebook chats he had ever had. There was also a list of photos he had detagged of himself, the names of everyone he had ever “poked”, which events he had attended, which he hadn’t replied to, and much more besides.

This story sounds like the beginning of some severe legislation on the right to be forgotten, at least in the European Union.

More about the war Schrems creates, on Europe v. Facebook webpage.