Germany Demands More From Facebook on GDPR
A letter from Germany’s Justice Minister to Facebook this week criticized its efforts to comply with GDPR and recommended that the social media platform implement an internal control and sanction mechanism to prevent abuse of Facebook data by third-party developers. The letter (in German) was published in full by the local media there and covered by Techcrunch (in English).
To deal with the problem of third-party abuse (highlighted by the Cambridge Analytica news), Germany asked Facebook to monitor third party compliance with its policies and dispense “harsh penalties” for violations. The result is that Facebook (and others) will need to audit their data sharing to ensure that third-parties are using the data in line with what users are told. The potential problems of data sharing (or data leaks) to third-parties is a topic that we are very familiar with here at Clarip given our software to provide data risk intelligence, and Germany’s demand of Facebook.
The letter also criticized Facebook’s decision to move its data center out of the European Union and thus avoid the effect of GDPR on the privacy of approximately 1.5 billion people. It used this as an example to call into question Facebook’s stated commitment to apply GDPR to everyone.
Privacy by default was another area specifically mentioned in the letter. Privacy by default requires that organizations minimize their data collection with the default settings. Germany said that Facebook has more to do in this area in order for its data processing operations to comply with Article 25.
Consent for facial recognition was yet another specific area where Facebook was criticized. Germany told Facebook that it needs to obtain consent for each data use and can’t bundle up the consents into a lump sum form. Techcrunch noted that Facebook’s consent for facial recognition provided “no specific examples … of the commercial uses”.
The letter applauded certain efforts by the company to improve user privacy, such as its decision to limit ties to data dealers. However, overall Germany thinks that Facebook has more to do toward the GDPR’s “core requirements”.
The other piece of information that came about Facebook recently was the double standard between how it views internal snooping on Facebook employees versus how it treats employee snooping on non-employees. Internally, there is a tool that alerts managers when a Facebook employee is accessing an employee profile using internal software. Employees must give a legitimate reason to access the profile and the justifications are reviewed later.
Ordinary users receive no such protection. The Wall Street Journal reported that a Facebook spokesperson told them that they considered expanding use of the tool to also alert users but that it would then be difficult to investigate bad actors without alerting them.
The media coverage of Facebook’s privacy practices continues to uncover new angles and problems, stoking pressure on regulators to act. It will be interesting to see how long it takes the EU to impose fines on Facebook after the May deadline for implementation passes as well as for Congress to act.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Other Blog Posts on Facebook:
Three Steps to Prepare for a Record Privacy Fine Against Facebook
Vendor Risk Management Lessons Coming From Facebook
Facebook, FTC Hearings Top Privacy News Yesterday
Vendor Risk Management at Facebook Back in Headlines
Facebook Updates on App Privacy Investigation, Bans myPersonality
Warning from Facebook Stock Drop: Take Privacy Seriously!
SEC Investigates Facebook for Non-Disclosure of Cambridge Analytica Risks
UK Privacy Office to Issue Maximum Fine for Facebook Over Cambridge Analytica
Senate Consumer Protection Subcommittee Further Explores Facebook Data Privacy
Facebook Answers Senate Questions on Privacy
Privacy Bills in Congress Get Boost From Facebookâs Latest Data Scandal
Overview of the Facebook-Cambridge Analytica Data Privacy Scandal