On January 30th 2015, Facebook revised its Data Use Policy (DUP) and Terms of Services. At the request of the Belgian Privacy Commission, ICRI/CIR (KU Leuven) and iMinds-SMIT (Vrije Universiteit Brussel) have conducted an extensive analysis of the revisions. So what does the current version of their report (dated 23rd February 2015) find?
Emma Cradock, a talented Web Science PhD student at the University of Southampton exploring new ways to standardise privacy policies, recaps for us the main findings of the report.
This is what Emma writes:
“CONSENT
The report questioned whether Facebook’s approach satisfies all the requirements of consent, the justification forming the basis for many of its processing activities. Although, clicking ‘Sign Up’ may constitute a clear indication of the wishes of a user, the report questioned whether consent is:
- Freely given, because of Facebook’s dominant position on the online social network market and its ‘all or nothing’ approach for many data uses
- Specific, as Facebook’s updated and previous DUP lack specificity with regard to the data it collects and how it uses this
- Informed, as Facebook fails to define in a comprehensive and intelligible fashion the purposes for which the data will be processed and the (categories of) recipients of the data.
- Unambiguous, as the default settings used by Facebook disclose information without the active engagement of the user.
PRIVACY SETTINGS
Although Facebook has not announced any changes to their privacy settings, the report found their current settings problematic. They found that they give users a false sense of control, offering them considerable control in regulating access to their data by other users but not meaningful control over the use of their personal information by Facebook or third parties.
UNFAIR CONTRACT TERMS
Although Facebook’s Terms have not changed substantially, the report highlights several clauses violating European consumer protection law already present, and set to persist. Specifically, their warranty disclaimer, liability limitation, indemnity, unilateral change, forum, choice of law and termination clauses, which do not comply with the Unfair Contract Terms Directive.
HOW FACEBOOK “COMBINES” AND “SHARES” DATA ABOUT ITS USERS
To a large extent, the changes introduced are mainly an extension upon existing practices. However, Facebook’s data processing capabilities have increased both horizontally (as data is gathered from an increasingly wide variety of sources) and vertically (in the growing types of information gathered), giving Facebook a deeper and more detailed profile of its users, which arguably they do not consent to.
FURTHER USE OF USER-GENERATED CONTENT
The report questions the wide licence Facebook’s Terms grant over user-generated content, and its compliance with copyright law, highlighting that exact compliance depends upon national law.
The report also questions whether ‘Sponsored Stories’ are ‘unsolicited commercial communications’ within the meaning of article 13(1) of the e-Privacy Directive or ‘other unsolicited communications’ as defined by Article 13 (3). The latter means that users must be able to opt out of receiving them, which Facebook does not offer.
The report also questions whether Facebook:
- Properly identifies ‘Sponsored Stories’ as commercial communications in line with article 6(a) of the e- Commerce Directive.
- Obtains the consent necessary to override a users right to ‘control the use of one’s image’ (as only an ‘opt-out’ system is used for advertising and users have no control over profile pictures being used for Sponsored Stories, other than to refrain from ‘liking’ pages or any other “social actions”).
Thus, the report finds that whilst the revised terms communicate Facebook’s use in a more transparent way, Facebook fails to offer adequate control mechanisms and in practice, the actual use of user-generated content in commercial communications is not transparent at all. Users may be aware of the possibility that their content might appear in ads, but are kept unaware about when and how this actually happens.
LOCATION
The report finds Facebook’s 2015 DUP slightly more explicit about the types of information Facebook collects to locate its user, but that the description of purposes is as vague and broad as it was in 2013. Furthermore, any mention of limiting the storage or use of location data to the time necessary to provide a service has been removed.
The report also criticises the binary choice users have when sharing location data. Once the Facebook mobile app is authorized to access location data, there are no further settings to modify sharing. Even if a user turns off Facebook’s access to location data (which must be done via the mobile operating system), this does not prevent Facebook from collecting location data via other means.
The report recommends Facebook:
- Implement granular location-data settings, allowing users to determine when and how location data can be used and to what purpose
- Make the defaults for these settings – off
- Provide more detailed information about exactly how, when and why location data is collected
- Only collect location data to the extent and for the duration necessary to provide the service requested by the user.
TRACKING
While Facebook provides high-level information about its tracking practices, the report argues that the collection or use of device information envisaged does not comply with article 5(3) of the e-Privacy Directive. This requires free and informed prior consent before storing or accessing information on an individual’s device; whereas, Facebook tracks users by default, meaning users must take steps to opt out of being tracked, which does not equate to legally valid consent.
DATA SUBJECT RIGHTS
The report posits that Facebook does not properly acknowledge data subjects rights, only mentioning them implicitly, nor does Facebook provide sufficient granularity in exercising them.
Right to Information: The information Facebook makes available is broad and generic, making it difficult for individuals to ascertain the uses to which specific data are being put and with whom it is being shared.
Right of access: The tool Facebook provides for users to download their data only concerns the requestor’s own profile (a fraction of the data Facebook holds on individuals) and does not make explicit: the actual purposes data has been used for; whom the data has been disclosed to; nor the logic behind any automated decision-making.
Right to object and erasure: The report finds that it is unclear to what extent these rights can effectively be exercised. Permanent ‘deletion’ of a users profile only relates to self-posted content and although users have some options to control the visibility of their information within their networks, they are not able to prevent Facebook from further using this.
The report states that it should be considered as provisional and will be updated after further research, deliberation and commentary.
Comments and suggestions on the report are welcome at: facebook.icri-cir@law.kuleuven.be”.