This article was written by Ian Lopez for Legaltechnews. The original article can be found at: https://www.law.com/legaltechnews/2018/05/04/facebooks-gdpr-challenge-and-the-conundrum-of-consent/?kw=Facebook%27s%20GDPR%20Challenge%20and%20the%20Conundrum%20of%20Consent&et=editorial&bu=Law%20Technology%20News&cn=20180509&src=EMC-Email&pt=Editor%27s%20Pick
Previously a looming afterthought for compliance professionals and siren song for privacy experts, the European Union’s General Data Protection Regulation (GDPR) was cast under a new spotlight in the congressional hearings of Facebook CEO Mark Zuckerberg in wake of the Cambridge Analytica scandal. While it remains unknown whether Facebook is currently or will be in compliance with the GDPR, Zuckerberg said in his testimony that Facebook will extend the protections guaranteed to EU users under the GDPR to U.S. users.
But the regulation, set to go into effect May 25, sets forth compliance challenges diametrically opposed to how Facebook profits, particularly in crunching and licensing users’ data. And there remains skepticism over the company’s ability to meet the regulatory requirements—Zuckerberg’s own cheat sheet for the hearings reads, “Don’t say we already do what GDPR requires”—particularly those allowing EU users to have their data deleted upon request and stipulating users provide consent before their data is processed.
Paramount among compliance complications are Facebook’s relationships with third-party data processors, entities like Cambridge Analytica that take information collected from data controllers, like Facebook, and process it for their own purposes. Cambridge Analytica, however, is far from the only company that has had such an agreement with the social media giant. Facebook actually cut access for some of these partners in March. And, given that Facebook has been around for over a decade, much user data remains on the web, potentially unbeknownst to the company.
This poses significant challenges under the GDPR, particularly under Article 17, which allows a data subject to demand controllers, like Facebook, that data be erased “without undue delay.” Also known as “the right to be forgotten,” the law established in previous EU privacy laws and rulings takes on a new weight with the looming GDPR. Ross McKenzie, a U.K. partner at Addleshaw Goddard focusing on data privacy, told Legaltech News that, for companies like Facebook, “complying with existing law is a problem.”
“The issue that organizations have is really trying to track where their data is going to, its uses, what terms and permissions,” McKenzie said. “Once data is out of the bottle, like a genie, it’s difficult to put it back in. And you’re trying to turn the clock back, which is the biggest challenge.”
“When you use the Facebook app, how is your data then after shared to other third parties linked to the service?” McKenzie said .“Facebook trying to police that is going to be very difficult.”
In McKenzie’s estimation, many “big issues” faced currently by Facebook center on third-party collection, though he noted that the company is “very much focusing on the user-centric approach” in which users can control their data-sharing preferences, “making it clear that this information is available to them.”
“Even over the last couple years, from a personal level, as a Facebook user myself, you are seeing more effort made to make you aware of the things you do and what that means for you when you change a setting [or] are tagged, for example. But you have to know where to look for those things, and I think that’s probably one of the issues.”
Damage Is in the Data
Indeed, Facebook’s made strides to make its data collection more transparent to users in the EU and U.S. In addressing measures for GDPR compliance, Facebook chief privacy officer Erin Egan and deputy general counsel Ashlie Beringer noted in an April press release that Facebook has already started prompting EU and Canada users to consent to targeted advertising, data collection, and use of facial recognition technology.
“As soon as GDPR was finalized, we realized it was an opportunity to invest even more heavily in privacy. We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook,” the release noted.
Not all, however, buy Facebook’s benevolence on privacy. TechCrunch’s John Constantine writes that Facebook’s current approach constitutes “a ton of small changes,” with “design that encourages rapidly hitting the ‘Agree’ button, a lack of granular controls,” as well as “a laughably cheatable parental consent request for teens and an aesthetic overhaul of ‘Download Your Information’ that doesn’t make it any easier to switch social networks.”
Also skeptical of Facebook’s intent to increase privacy is Brittany Kaiser, a former business development director at Cambridge Analytica and one of the whistleblowers into the company’s practices. In an April press event, Kaiser, who holds an LLM in human rights, noted that many aren’t even aware that such privacy controls exist.
“Not many people know that there’s an option to opt out,” Kaiser said. “You have to look for yourself, and it’s not easy.” She also highlighted the difficulty in complying with GDPR’s Right to be Forgotten, given the duration Facebook and other internet companies have been collecting user information. “You have to have quite a bit of money and very good lawyers to win some of those cases to remove your data after it’s been collected and been made available to others.”
Facebook’s user data brings in a healthy profit. In 2017, each of Facebook’s users generated $20.21 in advertising revenue, coming out to a total of $39.9 billion. For some, the scope of data collected from U.S. users is alarming. The New York Times’ Brian X. Chen, who characterizes his Facebook profile as “sparse” in detail, writes that, in downloading his Facebook data, he found that roughly 500 advertisers had his contact information, such as his address and phone number, his apartment buzzer number and his phone book.
A data processor’s responsibilities are outlined in the GDPR. Article 28, however, notes that controllers like Facebook only use processors that guarantee appropriate processing measures that comply with GDPR requirements “and ensure the protection of the rights of the data subject.”
David Lucas, a partner at Bradley Arant Boult Cummings specializing in data privacy, told LTN that, under the GDPR, processors are obligated to “purge every bit” of information requested. “I don’t know that any of the data mining companies are that well prepared to do that,” he added, noting that this is where EU regulators are “going to target some of their enforcement activities.”
Lucas asked, “As you get further down that food chain, are they as advanced” as Facebook at data mining? Likely, regulators would encounter “some small entrepreneurial companies that are not as sophisticated” and “less technologically capable of mapping those data sets” as major companies in risk of falling afoul of GDPR compliance.
Yet consent to process user data under the GDPR remains somewhat ambiguous in the eyes of those tasked with interpreting it. Speaking at a Santa Clara Law School in late April, Facebook lead product counsel Andrew Rausa noted that, if a business is unable to function without collecting certain user data, the processing may be considered a contractual necessity and not require consent.
For Facebook and third-party consent requirements under GDPR, this creates what SecurePrivacy.AI founder Dan Storbaek called “a gray zone” for compliance. Storbaek, whose startup allows companies to scan websites to see whether they’re GDPR compliant, said a considerable amount of data Facebook collects is problematic for compliance. “Any data which is directly referable to an individual is personal data,” Storbaek said, noting generally that information like salary and religion fall into this category. Companies, therefore, “definitely need to get consent from the users.”
Storbaek highlighted the concept of “data minimization” as emphasized under the GDPR as particularly problematic for Facebook. Noted in different areas of GDPR, the concept stipulates that data should only be processed as needed to complete a given task. This is problematic for the way Facebook utilizes consumer data to generate advertisements. “How do you get consent of a user to show an ad in the future?” Storbaek said. “In theory, that’s not possible. So that’s why it really becomes problematic.”
“One of the biggest challenges they have is, for almost decades, they’ve been collecting data. If they don’t have consent for the data they have about me, they won’t be able to use that data for ads moving forward after May 25, so they basically have to collect my consent or agree on what kind of lawful processing they will do with the data they already have about me,” he added.
In the view of Addleshaw Goddard’s McKenzie, GDPR Article 12, which requires that organizations be “transparent” in the use of user data, poses perhaps the biggest challenge for Facebook compliance, due to its requirement to request consent “in a way that is easy to understand, using clear language. Some of the concepts involved in data sharing are quite complex, and I think organizations are working really hard to deal with the legal requirements.”
Ian Lopez is the senior technology editor for ALM Media.