Facebook investigated under EU data protection law


24 Jan 2008

As the Information Commissioner in the UK begins an investigation over how Facebook stores, retains and uses the personal data of its members, Ireland also has a pressing need to closely observe the social networking site, even more so if it decides to locate its European headquarters in Dublin as rumoured.

The Information Commissioner’s Office (ICO) in the UK launched the investigation after a former member of Facebook complained that although he has closed his account, all his personal information stayed with the site, meaning he had to manually remove all the information he did not want preserved.

As Simon McGarr of Dublin-based McGarr Solicitors, who represent civil rights lobby group Digital Rights Ireland (DRI), points out in his blog post on the issue (http://www.mcgarrsolicitors.ie/), under the EU’s Data Protection Directives a person has the right to have information stored about them amended or erased.

Furthermore, if Facebook locates to Ireland its responsibility in relation to data retention changes as it becomes a data controller inside the EEA, as opposed to its current status outside.

“The main question is whether all of Facebook’s behaviour is in compliance with Europe’s Data Protection Law, and the extent to which that law may apply to either Facebook Inc or any of the controllers of the applications which rely on its systems,” asks McGarr in his blog.

McGarr points out that under the EU Directive 95/46, Recital 19, Facebook must comply with each and every territory it operates in.

While Facebook has a data-retention policy of its own, the third-party applications that can be installed on the site such as Super Wall or Scrabulous have their own policies and use personal data of members when they install the application on their profile.

Although these third-party applications ask the user for consent before installation goes ahead, the consent is asked in an opt-out manner. The user must ‘untick’ a box saying they agree to personal data being shared with the application – an option that leaves the responsibility on the user to choose not to have information taken from them.

“It is arguable that this wouldn’t, by itself, be enough to constitute genuine consent,” says McGarr.

TJ McIntyre, the chair of DRI, said we shouldn’t just be asking if Facebook is complying with the law, “Instead we should ask, ‘are they privacy friendly?’, ‘are they following best practice?’.”

“It’s hardly a ringing endorsement of a company that it grudgingly complies with the bare requirements of the law. Those companies which take privacy seriously understand that legal requirements are a floor, not a ceiling,” he added.

By Marie Boran