Is Facebook trampling over laws that govern the processing of sensitive categories of personal data by failing to ask people for their explicit permission before it induces sensitive inferences about their sex life, religion or political notions? Or is the company merely treading uncomfortably and unethically close to the line of the law?
An investigation by the Guardian and the Danish Broadcasting Corporation has found that Facebook’s platform lets advertisers to target users based on interests related to political notions, sexuality and religion — all categories that are marked out as sensitive datum under current European data protection law.
And indeed under the incoming GDPR, which will apply across the bloc from May 25.
The joint investigation discovered Facebook’s platform had built sensitive inferences about users — letting advertisers to target people based on inferred interests including communism, social democrats, Hinduism and Christianity. All of which would be classed as sensitive personal data under EU rules.
And while the platform offers some constraints on how advertisers can target people against sensitive interests — not letting advertisers to exclude users based on a specific sensitive interest, for example( Facebook having previously run into trouble in the US for enabling discrimination via ethnic affinity-based targeting) — such controls are beside the point if you take the view that Facebook is legally required to ask for a user’s explicit consent to processing this kind of sensitive data up front, before making any inferences about a person.
Indeed, it’s very unlikely that any ad platform can put people into pails with sensitive labels like’ interested in social democrat issues’ or’ likes communist pages’ or’ attends gay events’ without asking them to let it do so first.
And Facebook is not asking first.
This is going to be a big battleground. We talk about inferred special category data regarding the context of the Article 29 Working Party guidelines on profiling here> https :// t.co/ TjCHqOvcBA( open access) https :// t.co/ XZB5ypjELs
— Michael Veale (@ mikarv) May 16, 2018
Facebook argues otherwise, of course — claiming that the information it meets about people’s affinities/ interests, even when they necessitate sensitive categories of information such as sexuality and religion, is not personal data.
In a reply statement to the media investigation, a Facebook spokesperson told us 😛 TAGEND
Like other Internet companies, Facebook depicts ads based on topics we suppose people might be interested in, but without utilizing sensitive personal data. This means that someone could have an ad interest listed as’ Gay Pride’ because they have liked a Pride associated Page or clicked a Pride ad, but it does not reflect any personal characteristics such as gender or sexuality. People are able to manage their Ad Preference tool, which clearly explains how advertising works on Facebook and provides a route to tell us if you want to see ads based on specific interests or not. When interests are removed, we show people the list of removed interests so that they have a record they can access, but these interests are no longer used for ads. Our advertising conducted in accordance with relevant EU law and, like other companies, we are preparing for the GDPR to ensure we are compliant when it comes into force.
Expect Facebook’s argument to be tested in the courts — likely in the very near future.
As we’ve said before, the GDPR suits are coming for the company, thanks to beefed up enforcement of EU privacy regulations, with the regulation providing for penalties as large as 4% of a company’s global turnover.
Facebook is not the only online people profiler, of course, but it’s a prime target for strategic litigation both because of its massive size and reaching( and the resulting power over web users flowing from a dominant position in an attention-dominating category ), but also on account of its nose-thumbing posture to compliance with EU regulations thus far.
The company has faced a number of challenges and sanctions under existing EU privacy law — though for its operations outside the US it typically refuses to recognize any legal jurisdiction except corporate-friendly Ireland, where its international HQ is based.
And, from what we’ve seen in so far, Facebook’s response to GDPR’ conformity’ is no new leaf. Rather it looks like privacy-hostile business as usual; a continued attempt to leveraging its size and power to force a self-serving interpretation of the law — bending rules to fit its existing business procedures, rather than reconfiguring those processes to comply with the law.
The GDPR is one of the reasons why Facebook’s ad microtargeting empire is facing greater scrutiny now, with only weeks to go before civil society organizations are able to take advantage of fresh a chance for strategic litigation allowed by the regulation.
” I’m a big fan of the GDPR. I genuinely believe that it gives us — as the court in Strasbourg would say — effective and practical redress ,” statute prof Mireille Hildebrandt tells us.” If we go and do it, of course. So we need a lot of public litigation, a lot of court cases to induce the GDPR work but … I think there are more people moving into this.
” The GDPR made a market for these sort of law firms — and I think that’s excellent .”
But it’s not the only reason. Another reason why Facebook’s handling of personal data is attracting attention is the result of tenacious press investigations into how one controversial political consultancy, Cambridge Analytica, was able to gain such freewheeling access to Facebook users’ data — as a result of Facebook’s lax platform policies around data access — for, in that instance, political ad targeting purposes.
The Cambridge Analytica scandal at least brought Facebook CEO and founder Mark Zuckerberg in front of US lawmakers, facing questions about the extent of the personal information it gatherings; what controls it offers users over their data; and how he thinks Internet companies should be regulated, to name a few.( Pro tip for politicians: You don’t need to ask companies how they’d like to be regulated .)
Zuckerberg should expect to be questioned very closely in Brussels about how his platform is impacting European’s fundamental rights.
Sensitive personal data wants explicit consent
Facebook deduces affinities linked to individual users by collecting and processing interest signals their web activity generates, such as likes on Facebook Pages or what people look at when they’re browsing outside Facebook — off-site intel it meets via an extensive network of social plug-ins and tracking pixels embedded on third party websites.( According to datum released by Facebook to the UK parliament the coming week, during merely one week of April this year its Like button appeared on 8.4 M websites; the Share button appeared on 931,000 websites; and its tracking Pixels were running on 2.2 M websites .)
But here’s the thing: Both the current and the incoming EU legal framework for data protection situates the bar for consent to processing so-called special category data equally high — at “explicit” consent.
What that entails in practice is Facebook needs to seek and protected separate permissions from users( such as via a dedicated pop-up) for collecting and processing this type of sensitive data.
The alternative is for it to rely on another special condition for processing this type of sensitive data. However the other conditions are pretty tightly drawn — relating to things like the public interest; or the vital interests of a data subject; or for purposes of” preventive or occupational medication “.
None of which would appear to apply if, as Facebook is, you’re processing people’s sensitive personal information merely to target them with ads.
Ahead of GDPR, Facebook has started asking users who have chosen to display political opinions and/ or sexuality information on their profiles to explicitly consent to that data being public.
Though even there its any measures were problematic, as it offers users a take it or leave it style’ option’ — saying they either remove the info solely or leave it and therefore agree that Facebook can use it to target them with ads.
Yet EU law also requires that permission be freely given. It cannot be conditional on the provision of a service.
So Facebook’s bundling of service provisions and permission will also likely face legal challenges, as we’ve written before.
” They’ve tangled the use of their network for socialising with the profiling of users for advertising. Those are separate purposes. You can’t tangle them like they are doing in the GDPR ,” says Michael Veale, a technology policy researcher at University College London, emphasizing that GDPR allows for a third option that Facebook isn’t offering users: Letting them to keep sensitive data on their profile but that data not be used for targeted advertising.
” Facebook, I believe, is quite afraid of this third alternative ,” he continues.” It goes back to the Congressional hearing: Zuckerberg said a lot that you can choose which of your friends every post can be shared with, through a little in-line button. But there’s no option there that tells’ do not share this with Facebook for the purposes of analysis ‘.”
Returning to how the company synthesizes sensitive personal affinities from Facebook users’ Likes and wider webs browsing activity, Veale highlights the fact that EU law also does not recognise the kind of distinction Facebook is seeking to draw — i.e. between inferred affinities and personal data — and thus to try to redraw the law in its favor.
” Facebook say that the data is not correct, or self-declared, and therefore these provisions do not apply. Data does not have to be correct or accurate to be personal data under European law, and trigger increased protection. Indeed, that’s why there is a’ right to rectification’ — because incorrect data is not the exception but the norm ,” he tells us.
” At the crux of Facebook’s challenge is that they are inferring what is arguably “special category” data( Article 9, GDPR) from non-special category data. In European statute, this data includes race, sexuality, data related to health, biometric the necessary data for the purposes of identification, and political opinions. One of the first things to note is that European law does not govern collect and use as distinct activities: Both are considered processing.
” The pan-European group of data protection regulators have recently confirmed in guidance that when you deduce special category data, it is as if you collected it. For this to be lawful, this is necessary a special reason, which for most companies is restricted to separate, explicit permission. This will be often different than the lawful basis for processing the personal data you used for inference, which might well be’ legitimate interests ‘, which didn’t necessitate permission. That’s ruled out if you’re processing one of these special categories .”
” The regulators even specifically dedicate Facebook like inference as an example of extrapolating special category data, so there is little wiggle room here ,” he adds, pointing to an example used by regulators of a study that combined Facebook Like data with” restriction survey information” — and from which it was found that researchers could accurately predict a male user’s sexual orientation 88% of the time; a user’s ethnic origin 95% of the time; and whether a user was Christian or Muslim 82% of the time.
Which underlines why these rules exist — given the clear risk of violates to human rights if big data platforms can merely suck up sensitive personal data automatically, as a background process.
The overarching aim of GDPR is to give consumers greater control over their personal data not only to help people defend their rights but to promote greater trust in online services — and for that trust to be a mechanism for greasing the wheels of digital business. Which is pretty much the opposite approach to sucking up everything in the background and hoping your users don’t realize what you’re doing.
Veale also points out that under current EU law even an opinion on someone is their personal data …( per this Article 29 Working Party guidance, emphasis ours ):
From the point of view of the nature of the information, the concept of personal data includes any sort of statements about a person. It covers “objective” datum, such as the presence of a certain substance in one’s blood. It also includes “subjective” datum, sentiments or appraisals . This latter sort of statements make up a significant share of personal data processing in sectors such as banking, for the assessment of the reliability of borrowers (” Titius is a dependable borrower “), in insurance (” Titius is not expected to die soon “) or in employment (” Titius is a good worker and merits promotion “).
We set that specific point to Facebook — but at the time of writing we’re still waiting for a answer.( Nor would Facebook offer a public response to several other questions we asked around what it’s doing here, preferring to limit its comment to the statement at the top of this post .)
Veale adds that the WP29 guidance has been upheld in recent CJEU suits such as Nowak — which he tells emphasized that, for example, annotations on the side of an exam script are personal data.
He’s clear about what Facebook should be doing to comply with the law:” They should be asking for individuals’ explicit, separate consent for them to extrapolate data including race, sexuality, health or political sentiments. If people say no, they should be able to continue using Facebook as normal without these inferences being built on the back-end .”
” They need to tell individuals about what they are doing clearly and in plain language ,” he adds.” Political opinions are just as protected here, and this is perhaps more interesting than race or sexuality .”
” They certainly should face legal challenges for the purposes of the GDPR ,” concurs Paul Bernal, senior lecturer in law at the University of East Anglia, who is also critical of how Facebook is processing sensitive personal information.” The affinity notion seems to be a fairly transparent attempt to avoid legal challenges, and one that ought to fail. The topic is whether the regulators have the intestines to build the point: It undermines a quite significant part of Facebook’s approach .”
” I suppose the reason they’re pushing this is that they think they’ll get away with it, partly because they think they’ve persuaded people that the problem is Cambridge Analytica, as rogues, rather than Facebook, as enablers and advocates. We need to be very clear about this: Cambridge Analytica are the symptom, Facebook is the disease ,” he adds.
” I should also say, I guess the differences between’ targeting’ being OK and’ excluding’ not being OK is also mostly Facebook playing games, and trying to have their cake and eat it. It simply invites gaming of the systems really .”
Facebook claims its core product is social media, rather than data-mining people to operate a highly lucrative microtargeted ad platform.
But if that’s true why then is it tangling its core social functions with its ad-targeting apparatus — and telling people they can’t have a social service unless they agree to interest-based advertising?
It could support a service with other types of advertising, which don’t depend on background surveillance that erodes users’ fundamental rights. But it’s opting not to offer that. All you can’ select’ is all or nothing. Not much of a choice.
Facebook telling people that if they want to opt out of its ad targeting they must delete their account is neither a road to obtain meaningful( and therefore lawful) permission — nor a very compelling approach to counter criticism that its real business is farming people.
The issues at stake here for Facebook, and for the shadowy background data-mining and brokering of the online ad targeting industry as a whole, are clearly much greater than any one data misuse scandal or any one category of sensitive data. But Facebook’s decision to retain people’s sensitive personal data for ad targeting without asking for consent up-front is a telling sign of something gone very wrong indeed.
If Facebook doesn’t feel confident asking its users whether what it’s doing with their personal data is okay or not, maybe it shouldn’t be doing it in the first place.
At very least it’s a failing of ethics. Even if the final judgement on Facebook’s self-serving interpretation of EU privacy rules will have to wait for the courts to decide.
Make sure to visit: CapGeneration.com
- Click to share on Facebook (Opens in new window)
- Click to share on Twitter (Opens in new window)
- Click to share on Google+ (Opens in new window)
- Click to email this to a friend (Opens in new window)
- Click to share on Pocket (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
- Click to share on Reddit (Opens in new window)