EU data protection authorities get serious about Facebook's privacy policy
The task force was formed on Tuesday during a meeting of European data protection authorities and will be led by Belgium, the Netherlands, Germany and perhaps Italy, said the spokeswoman for Bart Tommelein, Belgium's state secretary for privacy.
The move was triggered bya few things that seem to "flagrantly go against general privacy laws in Europe" in Facebook's new privacy policy that came into effect on Friday, she said.
The data protection authorities (DPAs) for instance take issue with Facebook's practice of following its users off site, collecting information when they use third-party websites and apps that use a Facebook "like" button, a Facebook log-in or Facebook's measurement and advertising services. What's more, the authorities don't like Facebook claiming the right to use information and photos from user profiles for commercial purposes and take issue with Facebook sharing personal user data with third parties, she said.
"These are several things that really go too far, we think, and the task force will investigate them," she added.
The Dutch and Belgian privacy authorities have already started an investigation into Facebook's new policy, while in Germany the Hamburg Data Protection Commissioner asked Facebook last Friday to answer several questions about its new policy by the end of February.
The German authority has doubts about the legality of the way Facebook processes personal data, and in particular about Facebook sharing data with companies that are owned or operated by Facebook, including WhatsApp, Instagram, Oculus and Facebook's advertising company Atlas, said Moritz Karg, in-house legal expert at the Hamburg DPA. Sharing this information without explicit consent from users might be illegal in Germany.
Facebook did not immediately comment on the task force. However, a Facebook spokeswoman has said before that "Facebook shares information with its affiliates in some cases to help apps serve you better. For example, if you're locked out of your Instagram account, you can use your Facebook information to recover your password."
Karg however seriously doubts if the information shared between services is only for security purposes. If you read the data policies of Facebook, Instagram, Atlas or any of the eight companies they share data with "then you see that there is a network for sharing personal data," Karg said, adding that he doesn't think Facebook is lying but maybe in this case isn't telling the whole truth.
Facebook has also been adamant in the past that part of its policy that states users "permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you," does not mean that pictures or private data will be sold to third parties without consent. Rather, this clause is in the policy to enable Facebook to put names and pictures from users in an ad on Facebook itself, for instance when someone likes a company.
Although this clause has been in the privacy policy since 2013, the DPAs still think its worth investigating its legality.
The task force will now tell Facebook what it thinks is wrong with the privacy policy. If Facebook is not willing to make changes, the task force could pass its complaints to the EU's national privacy authorities for independent action against the company, Tommelein's spokeswoman said.
Meanwhile, the national investigations are ongoing. Facebook has asked to talk with Tommelein this month and the Belgian DPA has asked Facebook for an explanation of the policy changes in a letter.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com