rand_l
MEDIA EN, DE, IT, FR, ES

Legal Procedure against “Facebook Ireland Limited”

 

For years the shortcomings of Facebook’s privacy practice have been discussed, thought and talked about. Besides a couple of individual law suits there have been almost no consequences. Oftentimes we read that Facebook is a US company and therefore we cannot do too much within Europe. Are you sure?
 

line 

“If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.”

(Facebook’s Terms, Chapter 18. ”Other”)
 

line 

Ireland. Presumably for benefiting from tax advantages Facebook is running an Irish Company.link This does not only mean that facebook is saving a lot of money but that Irish and European data protection and consumer law applies.
 

Irish Authority. The “Data Protection Commissioner” (DPC) [Picture] is the responsible Authority for all data use of Facebook Ireland Ltd. We therefore filed 22 complaints with the Irish DPC. According to the European data protection directive the Republic of Ireland is obligated to sufficiently prosecute any breach of the principles set down in the directive. So far the DPC has only undertaken a non-binding “best practice” audit.
 

22 Complaints. The major benefit of a Complaint in contrast to a law suit, is that it is only initiating an two-party proceeding by the Irish DPC. We have decided to split the problems into small and individual complaints in order to have a better overview. It is up to the Irish Data Protection Commissioner to decide if the Complaints are justified, so far the DPC has tried everything to avoid a binding legal decision.
 

Non-binding Audit. In a first report the Irish DPC has listed numerous measurements Facebook has to comply with in order to improve its compliance with the Irish and European law. At the same this first report does not consider many issues we raised, lacks a sound legal reasoning and is non-binding.
Therefore we think that the non-binding “audit” brought Facebook in line with maybe 10% of the EU laws. We are right now continuing our fight for the other 90% and for legally binding decisions on all 22 complaints.
 

Transparency. All Complaints, answers and letters will be published here. For strategic reasons and reasons of privacy, certain parts must be edited out or cannot be published at all.
 

line
 

Procedure against “Facebook Ireland Ltd.”

 

 

1. Complaints against Facebook (August and September 2011)

01

18-AUG-2011

Pokes.
Pokes are kept even after the user “removes” them.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

02

18-AUG-2011

Shadow Profiles (Big Data).
Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

03

18-AUG-2011

Tagging.
Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out).
Info: Facebook announced changes.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

04

18-AUG-2011

Synchronizing.
Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

05

18-AUG-2011

Deleted Postings.
Postings that have been deleted showed up in the set of data that was received from Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

06

18-AUG-2011

Postings on other Users’ Pages.
Users cannot see the settings under which content is distributed that they post on other’s pages.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

07

18-AUG-2011

Messages.
Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

08

18-AUG-2011

Privacy Policy and Consent.
The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

09

18-AUG-2011

Face Recognition.
The new face recognition feature is an inproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

10

18-AUG-2011

Access Request.
Access Requests have not been answered fully. Many categories of information are missing.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

11

18-AUG-2011

Deleted Tags.
Tags that were “removed” by the user, are only deactivated but saved by Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

12

18-AUG-2011

Data Security.
In its terms, Facebook says that it does not guarantee any level of data security.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

13

18-AUG-2011

Applications.
Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

14

18-AUG-2011

Deleted Friends.
All removed friends are stored by Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

15

18-AUG-2011

Excessive processing of Data.
Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes.
It seems Facebook is a prime example of illegal “excessive processing”.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

16

18-AUG-2011

Opt-Out.
Facebook is running an opt-out system instead of an opt-in system, which is required by European law.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

 

24-AUG-2011

Letter from the Irish DPC.
 

 

Letter (PDF)

 

15-SEPT-2011

Letter to the Irish DPC concerning the new privacy policy and new settings on Facebook.

 

Letter (PDF)

17

19-SEPT-2011

Like Button.
The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

18

19-SEPT-2011

Obligations as Processor.
Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

19

19-SEPT-2011

Picture Privacy Settings.
The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

20

19-SEPT-2011

Deleted Pictures.
Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

21

19-SEPT-2011

Groups.
Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

22

19-SEPT-2011

New Policies.
The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

23

26-JUN-2013

PRISM
Facebook Ireland is forwarding data to the NSA (via Facebook USA). Export of data is only allowed if there is an “adequate protection”.

Refused by the Irish DPC

Complaint (PDF)

 

 

 

 

 

2. First Report by the Irish Authority (December 2011)

 

21-DEZ-2011

First Report by the Irish Data Protection Commission
This first report is based on our complaints, but is a proceeding that ran parallel to our complaints. The report is therefor not a final decision for our complaints.
The appendix is including some technical background information as well as other additional information.
There is also a press release by the DPC and a first comment by Facebook available.

Published

Report (PDF)
Appendix (PDF)

First Responses:
europe-v-facebook.org (PDF)
Irish DPC (PDF)
Comment by Facebook (Link)

 

 

Our Reaction
After studying the report in depth we told the DPC in January 2012 that we do not think that this first report will resolve all issues that were brought before it. Things that are suggested as “best practice” are not even meeting the minimal standard of European data protection law. A solid legal argumentation is missing and the DPC did by far not address all issues that were included in our complaints.

No satisfying response

e-mails of Jan 2012 (PDF)

 

 

 

 

 

3. Negotiations with Facebook in Vienna (February 2012)

 

05-FEB-2012

Facebook’s letter in preparation on our Meeting in Vienna
In order to have a more effective meeting in Vienna we asked Facebook to send us a written summary of all arguments against our complaints. Instead of arguemtns we got a summary of the Irish report.

No satisfying response

FB’s summary of the Irish report (PDF)

 

06-FEB-2012

Direct Meeting with Facebook in Vienna
According to the Irish Data Protection Act there should be an “amicable solution” between the two parties. Therefore we have had a meeting with Facebook in Vienna, Austria. In order to guarantee as much transparency as possible we have published a “summary of arguments”.

Published

Summary of Arguments (PDF)

Press Information (evf):
Ahead of the meeting (PDF)
Following the meeting (PDF)
Press conference (YouTube)

 

09-MAR-2012

“Follow Up” by Facebook
Following our meeting in Vienna FB was pledging that we will get different missing information in a “Follow Up” document. FB was breaching this pledge and gave us even less information that in the meeting. The table of “all” data categories is a copy of the pages in the Irish report. According to FB this was all the legal team was “comfortable sharing”.

No satisfying response

Follow Up (PDF)
Table of Data (PDF)

 

 

 

 

 

4. Facebook’s new privacy policy (May/June 2012)

 

 

Because of our complaints Facebook has made many little changes. The biggest change was, that Facebook has proposed a new worldwide privacy policy. Unfortunately they did not stop their illegal forms of data processing but simply wrote them into the policy, which made the new policy worse than the old one.
We started www.our-policy.org and managed that Facebook had to have a worldwide vote on the new policy. But because Facebook has hidden the vote really well it did not make the necessary quorum to be binding, despite 87% voting against the changes.

 

More Information:
www.our-policy.org
Site Governance Page (FB)

 

 

 

 

 

5. Irish ODPC stops communicating with us, despite ongoing procedure (July 2012)

 

30-JUL-2012

After we have tried to get access to files, evidence and the arguments by Facebook in three rounds, starting in January 2012, the ODPC has stopped communicating with us - by sending a text message.
We have then published the internal struggle we had with the ODPC when trying to get the most basic files about our own case. We were even denied the arguments Facebook has deployed against us.
So far we were not informed about the reason why the ODPC is not talking to us anymore.

Published

Round 1:
Letters of Jan 2012

Round 2:
Letters of Mar/Apr 2012

Round 3:
Letters of Jul 2012
(incl. text messages)

 

 

 

 

 

6. Review by the Irish Authority (September 2012)

 

21-SEPT-2012

In September 2012 the Irish ODPC has checked if Facebook has implemented the non-binding suggestions from the December 2011 Report (see above). The result was that Facebook has implemented “most” of the suggestions, but that it got again additional time to implement the rest.

Published

Review (PDF)
(incl. Section by
Facebook and “FTR Solutions”)

Recording of the ODPC’s  press conference (MP3)
Part concerning #evf (MP3)

 

 

 

 

 

7. Our Response of the “Audit” (December 2012)

 

4-DEC-2012

We were asked by the ODPC to submit our view of the “audit” procedure.
On more than 70 pages we have showed that the “Audit” has lead to many steps in the right direction, but was unable to solve any of the complaints.
In many cases we had to find out that the ODPC did not properly investigate. In some cases the ODPC blindly followed the claims by Facebook, without verification.
The question of access to files, evidence and arguments was addressed again.

Rejected /
Ignored

Our Response (PDF)
Media Update(PDF)

 

 

At the same time Facebook has announced that it is getting rid of the voting mechanism for policy changes and updated its policy for the third time during this procedure.

 

 

 

 

We have started “crowd4privacy.org” to collect the necessary funds for a possible legal action against a formal decision by the ODPC.

 

 

 


7-DEC-2012


Irish ODPC ignores our response.
Despite the previous request by the ODPC to indicate our view on the “review” the ODPC has decided “not to comment” our 70 page response. All requests in the document were ignored.
It is unclear if this means that our requests were formally rejected or simply not processed. We did also not get any access to the requested files or evidence.
The ODPC has asked us to make a request for a formal decision without providing us with the necessary files, responses and answers.

 


e-mails (PDF)

 


14-JAN-2013


Facebook is rejecting “amicable resolution”.
The Irish law requires the parties of a complaints procedure to try to find an “amicable resolution”. Since the meeting in February 2012 in Vienna was not leading to any movement by Facebook and the promised documents were never delivered by Facebook we have made a last attempt to find such a solution. Facebook has rejected to engage in such a process.
 

 


Letter from Facebook (PDF)

8. PRISM complaint turned down / Deadline for remaining 22 Complaints

 

25-JUL-2013

PRISM Complaint not investigated
The DPC has refused to take any decision on the “PRISM” complaints, saying that the EU has “envisioned” the use by the NSA when making the “Safe Harbor” decision in 2000. Therefore there is “nothing to investigate”.
 

 

Letters from the DPC (PDF)

 

8-AUG-2013

Sudden Deadline for remaining 22 Complaints
In a letter the DPC has suddenly given us a deadline until the 30th of August to make a “request for a decision” otherwise the DPC would simply make a decision without a request for it. The reason given: The DPC fears reputational damage from the ongoing complaint.
We are still refused access to any parts of the procedure (evidence, arguments, files).
 

 

Letters from the DPC (PDF)

 

 

 

 

 

9. Request for a formal Decision

 

28-AUG-2013

After the DPC has forced us to make a “request” we have filed an involuntary 150 page request, summarizing all 22 complaints and the reaction by Facebook and the DPC. In all cases we see the original complaints to be justified. Only in in some cases we could see an improvement throught the “audit” procedure.

 

Request (PDF)

 

 

 

 

 

10. First written Response from Facebook

 

30-SEPT-2013

For more than two years we have tried to get the arguments from Facebook. The Irish DPC has so far refused to grant us access to any arguments.

Now we have surprisingly received more than 200 paged of “arguments”. Unfortunately Facebook is in most cases not dealing with the core of our complaints but responded with arguments that seem to irrelevant for out complaints. In many cases Facebook “reinterprets” our complaints before it is answering them in ways that are illegitimate. Facebook does in no way take a legal position. The law is not mentioned with a single word. On the factual level Facebook is mainly referring back to the “audit”. All evidence is still missing, but we are still happy to be able to publish these documents now.

To get a full picture we highly recommend to compare Facebook’s response to our “request for a formal decision” (see above).

01 Pokes
02 Shadow Profiles (Big Data)
03 & 11 Tags & Deletion of Tags
04 Synchronizing
05 Deleted Postings
06 Postings on other Users’ Pages
07 Messages
08 & 16 Privacy Policy and Consent & Opt-Out
09 Facial Recognition
10 Access Requests
12 Data Security
13 Apps
14 Deleted Friends
15 Excessive processing of Data
17 Like Button
18 Duties as Processor
19 & 20 Pictures Privacy Settings & Deleted Pictures
21 Groups
22 New Policies
 

 

31-OCT-2013

Response to Facebook’s Submission
On about 30 pages we have summarized that the submission from Facebook is in many ways missing the point of the complaints and in most cases only a list of unprooven or even clearly false claims

 

Response (PDF)

 

 

 

 

 

Formal Decision by the Irish Authority

 

 

After we and Facebook made our comments to a “draft decision” the Irish DPC will issue the final decision.
If we (or Facebook) is unhappy with this formal decision we can appeal it at an Irish court.

 

 

 

 

 

 

 

Possible legal action against final decisions, if not complaint with EU law.

 

 

Currently we have to expect that the Irish DPC will not fully enforce Irish and EU law. We are determined to appeal any decission that is not in line with the law.
The legal costs for this are estimated to amount to about €300.000. We have already started a crowd funding page at www.crowd4privacy.org to get the necessary funds.

 

 

 

 

 

 

 

rand_r