from the must-try-harder dept
The report runs to over 60 pages (pdf). The key findings are as follows:
To be clear: the changes introduced in 2015 weren't all that drastic. Most of Facebook's "new" policies and terms are simply old practices made more explicit. Our analysis indicates, however, that Facebook is acting in violation of European law. First, Facebook places too much burden on its users. Users are expected to navigate Facebook's complex web of settings (which include "Privacy", "Apps", "Adds", "Followers", etc.) in search of possible opt-outs. Facebook's default settings related to behavioural profiling or Social Ads, for example, are particularly problematic. Moreover, users are offered no choice whatsoever with regard to their appearance in "Sponsored Stories" or the sharing of location data. Second, users do not receive adequate information. For instance, it isn't always clear what is meant by the use of images "for advertising purposes". Will profile pictures only be used for "Sponsored Stories" and "Social Adverts", or will it go beyond that? Who are the "third party companies", "service providers" and "other partners" mentioned in Facebook's data use policy? What are the precise implications of Facebooks' extensive data gathering through third-party websites, mobile applications, as well recently acquired companies such as WhatsApp and Instagram?
Unfortunately for Facebook, this is just the start of a much wider investigation across Europe:
The Belgian Privacy Commission is also part of a European task force, which includes data protection authorities from the Netherlands, Belgium and Germany. [Leuven University's] ICRI/CIR and [Vrije Universiteit Brussel's] iMinds-SMIT will continue to support the Privacy Commission in the context of its investigation and future updates to the report will also be shared with their German and Dutch colleagues.
Looks like Facebook has a busy few years ahead of it -- and what applies to Facebook is also likely to apply to a host of other companies that offer online services based on gathering large amounts of personal data in Europe.