Main Highlights:
- Motherboard/Vice released an explosive piece yesterday regarding Facebook’s practices, which will raise new worries about the internet giant’s noncompliance with European privacy standards.
- The article is based on a leaked internal document written last year by privacy engineers on the company’s Ad and Business product teams.
- Meta’s text contains a lot of unclear internal business abbreviations/acronyms.
Yesterday, Motherboard/Vice published an explosive article on Facebook’s operations that raised new concerns about the tech giant’s lack of compliance with European privacy rules. The story is based on a leaked internal paper prepared by privacy engineers on the company’s Ad and Business product teams last year.
The paper, headed “ABP Privacy Infrastructure, Long Range Investments [A/C Priv],” purports to depict engineers at the now-defunct software behemoth Meta scratching their heads over the dreadful task at hand: Attempting to bring Facebook’s data-ingesting advertising business into compliance with a “tsunami” of global privacy regulations that require the company to understand how user data flows through its systems to apply policies that control what happens to people’s information and perform essential functions such as reflecting people’s privacy preferences. Therefore, the next time Sheryl Sandberg mentions Meta’s “regulatory headwinds,” here is the contextual flesh to glue onto those euphemism bones.
Meta’s text has several internal business abbreviations/acronyms with ambiguous literal interpretations. If you have time and patience to wade through 15 pages of text and graphs accompanied by colorful analogies, you’ll find that Meta has structured its advertising system to be very far from complying with the requirements of the Digital Advertising Alliance (DAA) with laws like Europe’s General Data Protection Regulation (GDPR), which Neither do Meta’s engineers appear confident in their ability to change the mess and ensure timely compliance with a slew of other pending worldwide standards, according to the paper.
Meta, of course, disagrees that the paper violates any privacy laws. The company claims in a statement to Motherboard that the document does not adequately describe their extensive processes and controls for complying with privacy regulations; that it is therefore simply inaccurate to conclude that it demonstrates non-compliance; and that this document reflects the technical solutions they are developing to scale the current measures they have in place to manage data.
And, how would they assert this?
Wolfie Christl, an independent privacy researcher and expert in forensic analysis of ad data flows, has a different perspective of the leaked paper, labeling it dynamite and a confession (although one not meant for public consumption) that Meta violates the GDPR. See his lengthy Twitter thread — in which he deconstructs and contextualizes the engineers’ views as he sees them.
The letter is a direct admission that Facebook’s whole business is predicated on an extensive GDPR infringement at its core, Christl tells TechCrunch. The GDPR’s most fundamental premise is purpose restriction. Generally, a company may acquire personal data for a specific reason. If a business cannot define the purpose of gathering personal data, the GDPR prohibits it from processing it.
When asked what Meta’s lead EU data protection authority should do, Christl responds, “The Irish regulator must act immediately.” If Facebook cannot precisely explain how its surveillance advertising engine utilizes personal data, the company must be required to cease it.”
TechCrunch contacted the Irish Data Protection Commission (DPC) to inquire whether it will open an investigation into Meta’s ad data flows in light of what the document appears to show is, essentially, an advertising system that exists (or existed in 2021) in an anti-regulatory state — and, indeed, whether the document is relevant to any of the DPC’s (several) ongoing investigations into various aspects of Facebook’s business.
The authority did not issue a comment, but deputy commissioner Graham Doyle stated that the regulator had not seen the paper until Motherboard/Vice released it. This raises additional concerns, considering that the DPC has examined whether Facebook’s advertising business complies with the GDPR’s need for a sufficient legal basis for processing people’s data for over four years.
For example, the DPC has been reviewing a complaint against Facebook since May 2018, when the law took effect. The complaint concerns Facebook’s legal basis for processing user data for advertising purposes.
A draft DPC decision on that inquiry, which was published last fall (not by the DPC), was quickly dubbed a farce by privacy campaigners, as the regulator appeared to be prepared to accept Meta’s tactic of evading the GDPR’s standard for consent-based processing by claiming a cunning contractual bypass.
The short version is that consent must be freely provided for it to be legitimate under the GDPR. Additionally, permission must be purpose-specific (i.e., not bundled); and it must be informed. None of these occurs if you use Facebook, which requires processing your data for ad targeting as a condition of usage. Click ‘consent to advertisements,’ or you will be unable to create a Facebook account.
However, according to a leaked draft DPC ruling from last year, Facebook asserts that users had entered into a contract to get tailored advertisements – and the DPC did not appear to object to that GDPR-evading design.
Given that GDPR complaints continue to struggle with such legal fundamentals, is it any surprise that the deep, dark underbelly of Meta’s ad-targeting machinery contains, as this document describes, a vast ocean of surveillance data on web users but so little apparatus to order this data according to individuals’ wishes?
The simple conclusion is that the EU has been enforcing its ‘flagship’ data privacy law for over four years, yet Facebook remains unaffected by GDPR enforcement. (It was fined last year for its messaging program WhatsApp.) Additionally, the European Union did not develop a privacy law in 2018, when the GDPR. Before that regulation, the Data Protection Directive incorporated many of the same ideas.
Thus, if a business like Facebook had heeded legal requirements regarding privacy by design — and if EU authorities had implemented these long-standing regulations with vigor – Meta may not be warning investors about the regulatory headwinds threatening their shareholder value. Nor are they confronted with what appears to be a monstrously expensive and resource-intensive re-engineering problem — more comparable to reconstructing the whole planet from crushed moondust in a way that assures every single particle of rock and dust is returned to its original location. Oh, and — surprise! — the deadline for accomplishing all of this has already passed. This is referred to as ‘Zuckerberg’s moonshot.’
A Meta spokesman did not answer a query about whether the company had contacted the DPC in response to the Motherboard investigation to submit details about the operation of its advertising system to its key EU regulator. The firm offered us the identical statement it had previously supplied Motherboard, concluding with this lament: “This parallel is incomplete because they do have substantial systems and controls in place to handle data and comply with privacy legislation.
The European Commission is ultimately responsible for overseeing EU Member State agencies’ compliance with the GDPR. They inquired whether the Commission had any concerns regarding the leaked material and a position on whether the DPC should initiate an inquiry into Meta’s advertising data flows. However, it has made no response as of the time of writing.
In February, in response to a complaint lodged against the Commission by the Irish Council for Civil Liberties — accusing the EU executive of failing to act on Ireland’s “failure to apply” the GDPR properly — “Detailed and thorough” accounts of the information acquired by the Commission on Ireland’s implementation of the legislation are due by May 15, the EU ombudsperson’s deadline.
