Privacy concerns over how Facebook, Inc. uses “cookies” have led both Germany and Ireland to wage new battles against the social networking giant. “Cookies” are “small pieces of data in a person’s Web browser that record browsing behavior.”  Privacy officials in Germany and Ireland allege that the cookies Facebook places on users’ internet browsers continue to track users for two years after they delete their accounts, far longer than the few months allowed under European privacy laws.

In Germany, Hamburg’s Data Protection Authority (DPA) investigated Facebook’s “cookie” practice, and concluded that without users’ consent, European privacy regulations require Facebook to delete information it has stored. In Ireland, a ”guerilla” organization of Austrian students–calling themselves “Europe v. Facebook”–has filed twenty-two formal complaints against Facebook, through Ireland’s Data Protection Commissioner (DPC).  Europe v. Facebook, the brainchild of 24-year-old Austrian law student Max Schrems, is an online campaign designed to force Facebook to follow European data privacy laws. Members of Europe v. Facebook,  including Schrems, have requested records of their own personal information collected by Facebook, pursuant to a right of access guaranteed under Article 12(a) of Directive 95/46/EC (“Member States shall guarantee every data subject the right to obtain from the controller . . . communication to him in an intelligible form of the data undergoing processing . . . .”).  Facebook’s responses to these requests–contained in PDFs of more than 1,000 pages and more than 100 megabytes–revealed that Facebook collected and stored data on chats deleted by the user, “pokes,” invitations users had not responded to, friends the user removed, name changes, last locations, past privacy settings, and hundreds of other details. According to Europe v. Facebook, European law provides that a company must have a reason for maintaining data beyond several months.

Facebook contends that it uses cookies to deliver personalized content to users, and for security/safety purposes, including: (1) to identify spammers and phishers, (2) to detect unauthorized access to users’ accounts, (3) to assist users in accessing their accounts after their accounts have been hacked, and (4) to prevent underage users from registering. However, German officials remain unconvinced by the reasons Facebook articulates, as the investigation by Hamburg’s DPA found “no reason” for Facebook to maintain personal information on users for an extended time.

In Germany, Facebook has agreed to follow a voluntary code of conduct to protect user data within the country, presumably as an attempt to quell the rising tide of investigations against the company for alleged privacy violations. Earlier, privacy officials in Schleswig-Holstein declared that Facebook’s “Like” button violates its privacy laws, and Hamburg’s DPA continues to investigate Facebook’s facial-recognition tagging feature. If, however, talks between Hamburg’s DPA and Facebook do not succeed in allaying the agency’s concerns over Facebook’s use of cookies, the agency’s head, Johannes Caspar, has said the DPA will pursue legal options against the social network, including levying fines against the company. In Ireland, Ciara O’Sullivan, spokeswoman for the Irish commissioner, said Ireland’s DPC has opened a formal investigation into Schrems’ complaints over cookies. As in Germany, Facebook may be subject to fines if it fails to conform its practices with European privacy law.  In both countries, however, the potential fines Facebook faces for violating European law are largely trivial–in one case, amounting to 140,000 USD– such that it may have little incentive to comply with European privacy regulations.

The U.S. has only recently taken notice of the issue. On October 28, 2011, Reps. Joe Barton and Edward Markey, Co-Chairmen of the Bi-Partisan Privacy Caucus in the U.S. House of Representatives, sent a letter to Facebook CEO Mark Zuckerberg requesting information about Facebook’s data retention policies. The letter, written in response to an October 24th blog post on the Wall Street Journal’s website, raised the Caucus’s concern “that although the user was under the impression that [his] information was deleted at the user’s request, Facebook continued to retain the information.”

The lack of an international privacy framework may pose the greatest obstacle to ensuring that companies adopt practices protecting users’ privacy. Faced with multiple attacks by local authorities in various countries–each of which may impose “trivial” penalties–may not incentivize companies to take privacy seriously. Rather, a company like Facebook defending itself against enforcement actions brought under different, and potentially inconsistent, regulatory regimes, may find it easier to pay fines as they are incurred rather than adopt ex ante a policy of implementing practices that respect user privacy.

– Ilana Kattan

Image Source

Image Source 2

Tagged with:
 

One Response to Europe’s Battles Against Facebook Show it’s Not “All Quiet on the Western Front”

  1. A.M. says:

    It seems to me that an international privacy framework might fail to account for variation in countries’ demand for privacy. Concepts of privacy have strong cultural origins, and each country may choose to establish different boundaries. Google was forced to recognize cultural distinctions relating to privacy in 2010 when it was sued in Italy for permitting users to post a video. Where American users may defend the video, which depicted harassment of an autistic boy, under the First Amendment, Europeans reacted to it as an invasion of privacy. Privacy was a concept largely overlooked by the Founding Fathers and even today remains at odds with other American values, such as freedom of speech and even economic efficiency. Nonetheless, it may be too onerous for an international media company like Facebook or Google to comply with the individual privacy norms of each user country. Therefore, some international mechanism would be beneficial in meeting the needs of the user countries while allowing international companies like Facebook to continue operations.