Does Facebook hold up to EU privacy laws?


11 Feb 2008

Almost 200,000 Irish people are members of popular social networking site Facebook. But are we really sure what Facebook is planning to do with our personal data?

Family photographs, your favourite movies, your date of birth – this is just a fraction of the data that some 62 million Facebook members worldwide entrust to the site but few are aware of what happens to that information or what their rights are if this information is misused.

“As far as I know, nobody has discussed this yet from a European point of view,” says Simon McGarr of McGarr Solicitors, which represents civil rights group, Digital Rights Ireland.

“It is a US company and the US doesn’t have data protection regarding this so it’s not an issue that ever comes up.
“In relation to Ireland and the rest of Europe, Facebook declared itself to be a safe harbour but that claim does not hold up to even the most basic examination because it doesn’t make any bones of the fact that it won’t delete your personal data if you ask for your profile to be deleted,” he explains.

“It’s like Hotel California: you can check out any time you like, but you can never leave.”

Safe Harbour is a self-regulatory method which organisations use when handling data from countries in which they do not have sufficient data protection. In other words, Facebook asks us to trust that it will take care of our personal data.

There are two issues at play here: whether Facebook is fulfilling its current role in Ireland as a data controller and what its duty is if it locates its European headquarters in Ireland, as is rumoured.

“If Facebook opens an office in Ireland it will be under the same kind of rigours that every other company here is and therefore subject to a fine or investigation by the Data Protection Commissioner.

“If the Data Protection Commissioner is aware in advance that there may be a problem, he will talk to the company and make sure it gets itself in order before the complaints start coming in,” adds McGarr.

However, there is the issue of user awareness, a timely topic given European Data Protection Day 2008 was held just last month on 28 January.

As it stands, every website, including social networking sites, has a privacy policy which potential users are obliged to read and agree to before use and all users must be aware that if they provide sites like Facebook with personal data, then they are doing so of their own volition.

Who owns this data and how it is used once you put it up there is another matter, says McGarr: “It’s very easy to set up an account and build up a collection of information but the terms and conditions claim ownership of everything that goes inside the walls.

“What it means is that Facebook owns all your information and has a permanent licence which it can reuse or resell at will,” says McGarr, explaining that he used to re-publish his online diary, or blog, through Facebook until he began thinking about what this meant.

“If Facebook is claiming ownership and it is usurping my copyright on my words, I’d prefer not to get into a row about that, so I took it down.”

The question this raises, says McGarr, is whether genuine consent is being given: “Europe has the Unfair Contract Terms Directive which says that even if one large company forces you to sign up to all these terms and conditions, you will not necessarily be held to them if they are deemed
unreasonable.”

While Facebook itself has access to your personal data, so do the myriad companies or individuals that design the applications sitting on Facebook: if someone agrees to use one of these free applications which share video clips or tell friends what books you read recently, they are agreeing to give their personal data to these companies also.

“There are a lot of new developers in Europe working on Facebook applications, it is part of the new gold rush.

“I doubt whether the system of transferring data over to the applications can be done in a way that is coherent with the data protection legislation in Europe: Facebook has a badly-designed system from this perspective.

“I don’t know how many of these individuals or companies are following the data protection rules in every individual country where they have a user because that’s the important question: do I turn on an application and if I do and I live in Ireland, they are now bound to follow the rules of the Data Protection Act,” says McGarr.

At the end of the day, Facebook does not care because in the US these issues do not matter from a legal perspective, McGarr claims.

“A lawyer is never going to be able to request that access to Facebook is pulled down for everyone in Europe, so the organisation is just coasting here in the hope that it can fix things before people catch up with it.

“Is the company privacy friendly? It is privacy hostile: I would say it is actively hostile to the idea of privacy.”

By Marie Boran