There are fewer, if any, organisations who are more newsworthy or notorious in the data privacy landscape than Meta. Meta, formally Facebook, have been around since 2004 and have been collecting data on billions of people for many years. Facebook, after a period of pressure and whistleblowing leaks, changed its branding name to Meta, presumably in the hopes of creating a new reputation and seeking to shake off its bad reputation.
Facebook, Meta, however they would like to be called, have been the subject of some of the biggest data protection cases of recent years. The landmark Schrems II case which saw the breakdown of the EU-US Privacy Shield was around Facebook Ireland’s migration of data to Facebook Inc. Now whilst the practices of Facebook were not what ultimately brought down the EU-US Privacy Shield, but rather the unrestricted potential of the US Government for EU data subjects, it was Facebook’s processing activities which was the legal instrument drove the landmark case to judgment.
But anyway, enough of the past, what is happening now?
Well, on 26th May 2022, Meta made an announcement that it has updated its Privacy Policy and its Terms of Service, both of which will be in effect from 26th July 2022. In its announcement, Meta states that they have changed the Privacy Policy “to make it easier to understand and clearer about how we [Meta] use your information…we’ve [Meta] added more detailed explanations in our Privacy Policy including about how we use and share information with third parties.” [1]
Comparing the new Privacy Policy with the current Privacy Policy, the new one definitely looks more aesthetically pleasing. There are images and videos as well as text, making for a more user-friendly and digestible experience. Well, as user-friendly and readable as a Privacy Policy can be. As a data privacy professional, whilst the bells and whistles are nice, ultimately, I am not interested in how the information is presented (although that is important). I care about the content – what is it telling the user, and what isn’t it telling the user.
Before I go on, it is important to understand that Meta is reported to have made 97.5% of its revenue stream from advertising[2], a point I will come back to later in this article. This further illustrates how important it is for Meta to be transparent about how and where it shares data to, given that company almost entirely runs off its advertising platform. Meta are using the data they hold on us to make their money.
This updated Policy aims to cover the following of Meta’s products: Facebook, Messenger, Instagram, Facebook Portal products, Oculus Products, Shops, Marketplace, Spark AR, Meta Business Tools, Meta Audience Network, NPE TeamsApps, Facebook View.
For the purpose of this article, I am going to look at 4 sections specific areas of the Privacy Policy.
- Does Meta’s new Privacy Policy make it easier to understand its content?
- Does Meta’s new Privacy Policy explain the lawful basis for how they capture data?
- Does Meta’s new Privacy Policy effectively discuss data retention?
- Does Meta’s new Privacy Policy explain how Meta shares personal data with international organisations?
- Does Meta’s new Privacy Policy make it easier to understand its content?
At their core, Privacy Policies should be easy to understand. They are not for lawyers or privacy professionals. They should be written and drafted for the average consumer so that they can be made aware of how their data is being used and make a decision on whether they are happy with the use.
On this note, I think that the Privacy Policy is a lot easier to understand and it is more digestible than its predecessor. The information is provided in text form, videos, and layered privacy materials for pop-outs for the user to read more information.
So, whilst the information which is written can be understood, there are gaps in what they inform the user about how they use their data, some of these gaps will be covered below.
- Does Meta’s new Privacy Policy explain the lawful basis for how they capture data?
In what is by far the longest section of the Privacy Policy (taking up approximately ¾ of the overall policy), Meta has a series of detailed tables on the various lawful bases it uses to processes information, explaining ‘how’ and ‘why’ and what information categories are collected. This section should represent how Meta is lawfully processing the data under Articles 6 and 9 of the GDPR/UK GDPR. Meta cover the following lawful bases: consent, performance of contract, legal obligation, legitimate interests, tasks carried out in the public interest, protection of vital interests. This is a wide range of legal bases, but Meta’s scope and services are wide, so that in and of itself is not necessarily an issue. However, it is important to note that no mention of sensitive or special category data is references within the Privacy Policy – meaning that they have not described how they will comply with Article 9 of the GDPR/UK GDPR.
In order to avoid writing a novel, I am not going to cover all of the legal bases as the policy is quite long. However, I would implore any reader to look at the Privacy Policy for themselves and have their own opinion. Instead, I am going to look at two particular sections where I have specific concerns:
Performance of Contract
It is important to remember that performance of a contract is about the contract between a data controller and a data subject, not contracts between organisations who will incidentally need to process the data of an individual. The explanation for why Meta process individuals’ data for the performance of a contract seems to be stretched – alluding to personalising news feeds, personalising ads and making suggestions for the user, improving their Meta products. The data in question is not data which is at the heart of the services which Meta provide, but rather their algorithms to utilise their advertising platform – which again, is 97.5% of their income.
Protection of your vital interests or that of another person
Meta have quite rightly alluded to the fact that this lawful basis is around life and death situations, that is the core meaning behind ‘vital interests’. But what data is Meta processing under vital interests? They do not provide health or social care services, so why are they relying on this basis?
Well, Meta says that they will share information with law enforcement agencies where someone’s interests require protection, including mental health, well-being, or integrity or that of others. So far, so good, there are no serious concerns with this – Meta has an enormous platform and using the data it holds to save lives is a positive act which I think most people would agree with, if used appropriately. However, when turning to what data Meta collect under this purpose (which is admittedly across different purposes), it seems very unproportionate. It must be remembered that data is collected only when it is strictly necessary for its purpose, this again is one of the principles of the GDPR.
For ‘vital interests’, Meta will collect the following data (which is not an exhaustive list, but an example of the data which seems questionable as to how this could amount to protecting vital interests): types of context you view or interact with, apps and features you use and what actions you take in them, hashtags you use, time, frequency and duration of your activities on Meta’s products, device characteristics and device software, what you’re doing on your device (such as whether the app is in the foreground or if mouse is moving), device signals, information shared through device settings, information about cookies.
In short, wow. I sincerely struggle to understand how this data could be used to protect the vital interests of an individual and isn’t just a way to hold an enormous amount of data about their users – their whereabouts, everything they look at, interact with, their habits and lifestyle. Yes, this information could theoretically be used to help vital interests, but Meta are not a health and social care agency, nor are they a law enforcement agency. They are a big-tech company who make their money from adverts. And what does all this data collect help them do? Advertise, not, saving lives.
- Does Meta’s new Privacy Policy effectively discuss data retention?
What about data retention? One principle of the GDPR is around storage limitation. Data should not be held longer than it is reasonably necessary. So, what does Meta say about how long it stores user’s data?
“We [Meta] keep information as long as we need it to provide our products, comply with legal obligations or to protect our or other’s interests. We decide how long we need information on a case-by-case basis. Here’s what we consider when we decide:
- If we need it to operate or provide our products. For example, we need to keep some of your information to maintain your account. Learn more.
- The feature we use it for, and how that feature works. For example, messages sent using Messenger’s vanish mode are retained for less time than regular messages. Learn more.
- How long we need to retain the information to comply with certain legal obligations. See some examples.
- If we need it for other legitimate purposes, such as to prevent harm; investigate possible violations of our terms or policies; promote safety, security and integrity; or protect ourselves, including our rights, property or products
In some instances and for specific reasons, we’ll keep information for an extended period of time. Read our policy about when we may preserve your information.”[3]
This is a very general statement. Case-by-cases are fine, but the examples and expansions given are also very general and do not give any real indication about how long data is held – other than what effectively is in perpetuity. Whilst there may be legitimate reasons as to why Meta hold the data, the specific examples are not adequately explained to users, so users will not have a good understanding of how long their data is being kept, and why.
- Does Meta’s new Privacy Policy explain how Meta shares personal data with international organisations?
For those in the know, Meta have serious issues when it comes to international transfers, and have even threatened to take their services out of Europe because of their inability to comply with the GDPR due to their central hub being located in the United States and their processing which takes place in the states.
So, when you look at the new Privacy Policy, what does it say about international transfers? A section entitled ‘Why is information transferred to other countries?’ reads:
We share the information that we collect globally, both internally across our offices and data centres, and externally with our partners, vendors, service providers and third parties. Because Meta is global, with users, partners and employees around the world, transfers are necessary for a variety of reasons, including:
- So we can operate and provide the services stated in the terms of the Meta Product you’re using and this Policy. This includes allowing you to share information and connect with your family and friends around the globe.
- So we can fix, analyse and improve our products[4]
In my opinion, there are some gaping holes in this statement. Firstly, there is not a section which covers what countries or what data is sent to other countries, and whether those countries are outside the EEA. So, all we have is what is stated above. We learn that information is shared ‘globally’. They state that they will share the data to operate within the terms of the Meta Product and this policy and to fix, analyse and improve products. That’s all very well and good, but it’s not very user friendly. The statement is a blanket, capture all, way of transferring the data ‘globally’. Here, the user is not being told about how their information may be being transferred outside the EEA – which is something that is really important so that users can make a decision about how their data is being used.
The real issue here is about data going to the United States. When I see ‘globally’, I think this is a euphemism for the Untied States in a way to soften the language about where the data is being transferred due to the negative connotations associated with it. There is no federal Data Protection law in the US, and the US government authorities are able to access data within its jurisdiction for ‘National Security’ reasons. This means that there is no right of recourse for EU data subjects about how their data is being handled and used by the US authorities.
Conclusion
This is a small step in the right direction for Meta. The new privacy policy undoubtedly improves on its old one, but in my opinion, still falls so far short of where it needs to be given the amount of data it processes and the transparency obligations it is required to fulfil.
[1] https://about.fb.com/news/2022/05/metas-updated-privacy-policy/
[2] https://s21.q4cdn.com/399680738/files/doc_financials/2021/q4/FB-12.31.2021-Exhibit-99.1-Final.pdf
[3] https://www.facebook.com/privacy/policy/?section_id=8-HowLongDoWe
[4] https://www.facebook.com/privacy/policy/?subpage=9.subpage.1-WhyIsInformationTransferred
