Facebook’s data security policies have long gone unchallenged by European regulators, in part because the company has its European headquarters in Ireland, a country with a more permissive attitude to data privacy. That might change soon.
Expectations were low when Germany’s new federal justice minister hauled in Facebook executives to explain their latest data scandal. But even by those standards, it was clear the social media giant had under-delivered when Katarina Barley went before the press after the March 26 meeting in Berlin.
“Facebook admitted abuses and excesses in the past, and gave assurances that measures taken since will prevent them from happening again,” she said. “But promises aren’t enough. In the future we will have to regulate companies like Facebook much more strictly.”
But Facebook isn’t the only one making empty promises. Politicians across Europe have been astir with indignation, muttering empty threats since Cambridge Analytica admitted that information it bought on Facebook users was used to influence the 2016 US presidential election. The company bought the data—illegally—from the developers of a personality app that quizzed users to determine their personalities, political leanings, and more. Until 2014, Facebook’s default settings allowed any app installed by one Facebook user to scrape data off all of a user’s friends, too—without informing them or asking for explicit permission.
Cambridge Analytica has been bragging about its coup since Donald Trump was elected, but it took a company whistleblower to make clear the extent of the manipulation. Now that the consequences of the data-trading have become clear, Facebook claims to be shocked—shocked!—by what happened.
In reality, Facebook is shocked because it was caught. It walked into this with its eyes open, allowing problematic data-collection via third-party apps. And it earned money in the process from data-collecting app developers it knew it couldn’t control.
They got away with it because, well, they can.
Under current EU law, Germany’s federal justice minister can investigate consumer law breaches involving Facebook. But it has no ability to police Facebook data breaches—even if they happen in Germany or, as Barley said after their meeting, affect 130,000 European Facebook users.
Because Facebook and other tech giants have their international headquarters in Ireland, front-line responsibility for policing them falls to the Irish data protection regulator (DPC). And for years, the DPC has faced accusations from German and other authorities of sitting on its hands.
It is a heated, polarized argument that has much to do with interpretation of laws dating back to before Facebook was even invented. But just as crucial are cultural norms—and misunderstandings.
Germany’s robust data protection rules and privacy culture are a product of bitter experience of surveillance, under first the Gestapo and then the Stasi. Ireland has a much looser attitude to privacy and data protection, more similar to British and US perspectives, and the Irish DPC is a reflection of this. But the status quo of EU data regulation means the Irish philosophy has prevailed.
Since 2011 Ireland’s regulator has been investigating Facebook’s operations in Europe following a complaint filed by Austrian privacy campaigner Max Schrems that the company was operating outside EU law. He took his case to the European Court of Justice in Luxembourg and won, forcing the EU to close down problematic transatlantic data transfer channels.
But in his 2011 complaint to the Irish DPC, Schrems also flagged as illegal Facebook apps’ practice of pulling in the data of both users and their Facebook friends. While Facebook maintains contracts with developers forbidding the onward sale or disclosure of data to third parties without user consent, he dismissed these as worthless.
“No one knew for sure who was behind these apps and no one knew what happened to the data collected,” said Schrems. “It could disappear into another country or end up being used—as Cambridge Analytica shows—in an election campaign.”
Asked about Schrems’s concerns, Facebook claimed back in 2011 that its users had agreed to share their data with apps in friends’ profiles through the concept of “third party consent.” The Irish regulator flagged this as problematic, and ordered changes back in 2011 and 2012; but we still don’t know if the DPC viewed the practice as illegal. Indeed, it was a whole three years after the first complaint that Facebook restricted its “third party consent” sharing of data, and then only because the social network updated its platform.
Ask the Irish DPC what took so long and you hear a lot about consensual audits and how effective data protection regulation requires an “iterative approach.” This is the kind of talk that drives German data regulators to distraction—they prefer to stop problematic practices first and ask questions later.
Years of pan-EU frustrations could come to an end in May, when new EU data protection rules come into force. The Irish regulator will remain the frontline regulator for Facebook, Twitter, and Google, all based in Dublin. But the new rule book, known as the General Data Protection Regulation (GDPR), foresees greater leeway to act—and huge fines for regulation breaches.
German Green MEP Jan Philipp Albrecht, who pushed GDPR through the European Parliament, says the new rules will increase pressure on the Irish DPC to explain to partner agencies in other EU member states how it is regulating—or not regulating—big tech companies in its territory. Should it fail to make a convincing case, Albrecht says, “it will lead quickly to outside control of the Irish regulator.”
For Albrecht, a data protection veteran, the EU regime will do more to rein in Facebook data breaches than any national politician or regulatory body. Albrecht added: “I for one am happy that the Irish regulator will, through GDPR, be expected to apply common rules more quickly and consequentially.”