Facebook privacy EU law data protection

Social media is not a new phenomenon, and for most organisations, has become a common channel for broadcasting content and engaging with customers. However surprisingly, reducing legal risks surrounding the use of social media continues to be a grey area for many organisations, large and small.

To help you avoid these legal pitfalls we’ll be providing regular updates on social media law including the latest news, tips to stay proactive and explain how changes in the law will affect the way your organisation communicates and shares information online.

This week we explore some of the recent challenges faced by Facebook and entities advertising on the platform. We consider Facebook’s collection of user data, which may breach data protection laws in the EU – and also violate competition laws. Should Australian businesses be reviewing their privacy practices in light of these dealings?

Social plugins are widgets that often appear on websites to allow users to comment or share content. Popular plugins are the Like and Share buttons, which allow visitors to “like” or “share” content on social media platforms, such as Twitter, Facebook and LinkedIn, increasing brand exposure. 

What happens when you press the thumbs-up button on a website?

Most consumers are aware that by clicking on the thumbs-up button that appears on a website they are not only openly supporting the website content, but that the website content will be shared with Facebook friends and appear in news feeds. Often details such as IP addresses are also transferred from the relevant website to Facebook. According to Facebook’s developer page, usage of social plugins may result in Facebook receiving:

  1. the visitor’s user ID
  2. browser-related information; and
  3. details about the website being visited.

Facebook’s Statement of Rights and Responsibilities states that subject to any limitations the user places on audiences of their posts, users permit Facebook to use their information in connection with commercial content served by Facebook, including brands the user likes.  This includes allowing a business to pay Facebook to display a user’s name and/or profile picture with their content or information without paying the user.  While Facebook’s legal terms cover the receipt and usage of such information, the terms and privacy policies of many websites that incorporate social plugins do not refer to user data transferred to Facebook.

E-commerce sites breach data protection laws

A German court has held that two e-commerce websites breached data protection laws by failing to obtain proper consent before transmitting their users’ IP addresses to Facebook when they used “Like” buttons on their websites. 

It is unlikely that Australian businesses that use social plugins will be held equally liable. In Australia, the Privacy Act only applies to personal information, being information that can identify a person.  In isolation, an IP address is unlikely to constitute personal information. This was recently established by the Administrative Appeals Tribunal in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991.  However if the operator of the website transmitting the IP address has further information about the user, such as their user ID, it may be able to aggregate the data to identify users – and if so, will then need to comply with the Privacy Act.  Obligations under the Privacy Act include notifying individuals about when their personal information  will be collected. 

Cookies: Trail of crumbs leads to Facebook

Facebook recently received a formal order from the French Data Protection Agency to stop tracking non-Facebook users via cookies and social plugins.  According to the Agency, Facebook collects information from users who visit public Facebook pages and then uses cookies to track the browsing activities of these individuals – including those who don’t have a Facebook account and therefore have not consented to Facebook’s Terms of Service.  In Belgium, users must now sign in to Facebook to see content, including public profiles such as those promoting local businesses. 

To the relief of many small businesses that rely on Facebook for advertising, Australian privacy laws are less stringent than in the EU.  Most websites (including Facebook) use cookies to track what users are doing with respect to its services.  The Office of the Australian Information Commissioner (OAIC) has noted a level of public anxiety concerning the use of cookies, particularly with regard to sites that use cookies to track users’ browsing activities, even after users have logged out of Facebook.  The OAIC has reminded users to use the settings in their browsers to control how they deal with cookies.

Data protection issues may breach EU competition law

Last week the German Federal Cartel Office initiated investigations into whether Facebook has breached data protection laws and, in doing so, violated competition rules.  The cartel office is investigating whether Facebook is abusing its dominance to harvest personal information. 

As a “dominant” social media company which generates revenue from advertising based on user data, Facebook is subject to special obligations – including ensuring that consumers are sufficiently informed about the nature of data it collects. The investigation reportedly relates to the requirement that users must agree to Facebook’s collection and use of their data by accepting the terms of service in order to access the social network, but that it was difficult for users to comprehend the extent of such terms. 

While in the EU the collection of vast amounts of consumer data by big Internet companies may violate competition rules, this hasn’t been alleged in Australia. Regulators in Australia are more concerned about the use and protection of that data, rather than the impact of collection on the market. 

Rule of thumb up

While Facebook is under constant scrutiny from privacy (and EU competition) regulators, businesses advertising online and using social plugins are reminded of the need to remain conscious of their privacy obligations – especially those who trade in the EU. 

Our Expert Project Lead