In December 2014, Facebook announced that it would revise its Data Use Policy and Terms of Service. At the request of the Belgian Privacy Commission, ICRI/CIR (KU Leuven), in cooperation with iMinds-SMIT (Vrije Universiteit Brussel) conducted an extensive analysis of Facebook’s revised policies and terms.
Photo source: Pixabay
Facebook rolled out its new policies and terms on January 30th, 2015. In the text, Facebook authorizes itself to (1) track its users across websites and devices; (2) use profile pictures for both commercial and non-commercial purposes and (3) collect information about its users’ whereabouts on a continuous basis. Facebook announced the changes more than a month in advance, but the choice for its +1 billion users remained the same: agree or leave Facebook.
To be clear: the changes introduced in 2015 weren’t all that drastic. Most of Facebook’s “new” policies and terms are simply old practices made more explicit. Our analysis indicates, however, that Facebook is acting in violation of European law. First, Facebook places too much burden on its users. Users are expected to navigate Facebook’s complex web of settings (which include “Privacy”, “Apps”, “Adds”, “Followers”, etc.) in search of possible opt-outs. Facebook’s default settings related to behavioural profiling or Social Ads, for example, are particularly problematic. Moreover, users are offered no choice whatsoever with regard to their appearance in “Sponsored Stories” or the sharing of location data. Second, users do not receive adequate information. For instance, it isn’t always clear what is meant by the use of images “for advertising purposes”. Will profile pictures only be used for “Sponsored Stories” and “Social Adverts”, or will it go beyond that? Who are the “third party companies”, “service providers” and “other partners” mentioned in Facebook’s data use policy? What are the precise implications of Facebooks’ extensive data gathering through third-party websites, mobile applications, as well recently acquired companies such as WhatsApp and Instagram?
At the request of the Belgian Privacy Commission, ICRI/CIR, in close cooperation with iMinds-SMIT, drafted a report analysing Facebook’s revised policies and terms. The report forms part of the documentation upon which the Privacy Commission will rely in the course of its further investigation. The Belgian Privacy Commission is also part of a European task force, which includes data protection authorities from the Netherlands, Belgium and Germany. ICRI/CIR and iMinds-SMIT will continue to support the Privacy Commission in the context of its investigation and future updates to the report will also be shared with their German and Dutch colleagues.
You can download the latest version of the report here.
