There are fewer, if any, organisations who are more newsworthy or notorious in the data privacy landscape than Meta. Meta, formally Facebook, have been around since 2004 and have been collecting data on billions of people for many years. Facebook, after a period of pressure and whistleblowing leaks, changed its branding name to Meta, presumably in the hopes of creating a new reputation and seeking to shake off its bad reputation.
Facebook, Meta, however they would like to be called, have been the subject of some of the biggest data protection cases of recent years. The landmark Schrems II case which saw the breakdown of the EU-US Privacy Shield was around Facebook Ireland’s migration of data to Facebook Inc. Now whilst the practices of Facebook were not what ultimately brought down the EU-US Privacy Shield, but rather the unrestricted potential of the US Government for EU data subjects, it was Facebook’s processing activities which was the legal instrument drove the landmark case to judgment.
But anyway, enough of the past, what is happening now?
Before I go on, it is important to understand that Meta is reported to have made 97.5% of its revenue stream from advertising, a point I will come back to later in this article. This further illustrates how important it is for Meta to be transparent about how and where it shares data to, given that company almost entirely runs off its advertising platform. Meta are using the data they hold on us to make their money.
This updated Policy aims to cover the following of Meta’s products: Facebook, Messenger, Instagram, Facebook Portal products, Oculus Products, Shops, Marketplace, Spark AR, Meta Business Tools, Meta Audience Network, NPE TeamsApps, Facebook View.
At their core, Privacy Policies should be easy to understand. They are not for lawyers or privacy professionals. They should be written and drafted for the average consumer so that they can be made aware of how their data is being used and make a decision on whether they are happy with the use.
So, whilst the information which is written can be understood, there are gaps in what they inform the user about how they use their data, some of these gaps will be covered below.
Performance of Contract
It is important to remember that performance of a contract is about the contract between a data controller and a data subject, not contracts between organisations who will incidentally need to process the data of an individual. The explanation for why Meta process individuals’ data for the performance of a contract seems to be stretched – alluding to personalising news feeds, personalising ads and making suggestions for the user, improving their Meta products. The data in question is not data which is at the heart of the services which Meta provide, but rather their algorithms to utilise their advertising platform – which again, is 97.5% of their income.
Protection of your vital interests or that of another person
Meta have quite rightly alluded to the fact that this lawful basis is around life and death situations, that is the core meaning behind ‘vital interests’. But what data is Meta processing under vital interests? They do not provide health or social care services, so why are they relying on this basis?
Well, Meta says that they will share information with law enforcement agencies where someone’s interests require protection, including mental health, well-being, or integrity or that of others. So far, so good, there are no serious concerns with this – Meta has an enormous platform and using the data it holds to save lives is a positive act which I think most people would agree with, if used appropriately. However, when turning to what data Meta collect under this purpose (which is admittedly across different purposes), it seems very unproportionate. It must be remembered that data is collected only when it is strictly necessary for its purpose, this again is one of the principles of the GDPR.
For ‘vital interests’, Meta will collect the following data (which is not an exhaustive list, but an example of the data which seems questionable as to how this could amount to protecting vital interests): types of context you view or interact with, apps and features you use and what actions you take in them, hashtags you use, time, frequency and duration of your activities on Meta’s products, device characteristics and device software, what you’re doing on your device (such as whether the app is in the foreground or if mouse is moving), device signals, information shared through device settings, information about cookies.
In short, wow. I sincerely struggle to understand how this data could be used to protect the vital interests of an individual and isn’t just a way to hold an enormous amount of data about their users – their whereabouts, everything they look at, interact with, their habits and lifestyle. Yes, this information could theoretically be used to help vital interests, but Meta are not a health and social care agency, nor are they a law enforcement agency. They are a big-tech company who make their money from adverts. And what does all this data collect help them do? Advertise, not, saving lives.
What about data retention? One principle of the GDPR is around storage limitation. Data should not be held longer than it is reasonably necessary. So, what does Meta say about how long it stores user’s data?
“We [Meta] keep information as long as we need it to provide our products, comply with legal obligations or to protect our or other’s interests. We decide how long we need information on a case-by-case basis. Here’s what we consider when we decide:
- If we need it to operate or provide our products. For example, we need to keep some of your information to maintain your account. Learn more.
- The feature we use it for, and how that feature works. For example, messages sent using Messenger’s vanish mode are retained for less time than regular messages. Learn more.
- How long we need to retain the information to comply with certain legal obligations. See some examples.
- If we need it for other legitimate purposes, such as to prevent harm; investigate possible violations of our terms or policies; promote safety, security and integrity; or protect ourselves, including our rights, property or products
This is a very general statement. Case-by-cases are fine, but the examples and expansions given are also very general and do not give any real indication about how long data is held – other than what effectively is in perpetuity. Whilst there may be legitimate reasons as to why Meta hold the data, the specific examples are not adequately explained to users, so users will not have a good understanding of how long their data is being kept, and why.
For those in the know, Meta have serious issues when it comes to international transfers, and have even threatened to take their services out of Europe because of their inability to comply with the GDPR due to their central hub being located in the United States and their processing which takes place in the states.
We share the information that we collect globally, both internally across our offices and data centres, and externally with our partners, vendors, service providers and third parties. Because Meta is global, with users, partners and employees around the world, transfers are necessary for a variety of reasons, including:
- So we can operate and provide the services stated in the terms of the Meta Product you’re using and this Policy. This includes allowing you to share information and connect with your family and friends around the globe.
- So we can fix, analyse and improve our products
In my opinion, there are some gaping holes in this statement. Firstly, there is not a section which covers what countries or what data is sent to other countries, and whether those countries are outside the EEA. So, all we have is what is stated above. We learn that information is shared ‘globally’. They state that they will share the data to operate within the terms of the Meta Product and this policy and to fix, analyse and improve products. That’s all very well and good, but it’s not very user friendly. The statement is a blanket, capture all, way of transferring the data ‘globally’. Here, the user is not being told about how their information may be being transferred outside the EEA – which is something that is really important so that users can make a decision about how their data is being used.
The real issue here is about data going to the United States. When I see ‘globally’, I think this is a euphemism for the Untied States in a way to soften the language about where the data is being transferred due to the negative connotations associated with it. There is no federal Data Protection law in the US, and the US government authorities are able to access data within its jurisdiction for ‘National Security’ reasons. This means that there is no right of recourse for EU data subjects about how their data is being handled and used by the US authorities.