TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Facebook faces mounting scrutiny Related reading: Notes from the Asia-Pacific region, 19 April 2024



The Facebook-Cambridge Analytica story continues to expand as the number of those affected by the data sharing kerfuffle now reportedly numbers 87 million, up from the 50 million Facebook had originally announced.

Of those 87 million, approximately 2.7 million were European. Facebook has expressed a "willingness to engage" with EU regulators after it was also revealed that 2 billion profiles were scraped. In a press briefing Thursday, Christian Wigan, a spokesman for EU Justice Commissioner Věra Jourová, said Jourová has communicated with Facebook "to arrange for high-level contacts in the coming days." In a tweet, Jourová said the company "needs to step up the response and protect European data."  

Jourová also said she is in talks with the U.K.'s Information Commissioner's Office and Article 29 Working Party Chairwoman Andrea Jelinek about the new revelations. Last week at the Global Privacy Summit, Jelinek said the ICO is the lead authority investigating the incident. 

The comments come after an apparent about-face from Facebook CEO Mark Zuckerberg, who suggested in an interview with Reuters earlier this week that Facebook would not apply the controls it has set up to meet the high-level compliance standards of the upcoming EU General Data Protection Regulation worldwide. Not long after the Reuters report and during a conference call with reporters, Zuckerberg refuted the story, saying, "Overall, I think regulations like this are very positive. ... We intend to make all the same controls available everywhere, not just in Europe." 

Facebook Chief Operating Officer Sheryl Sandberg has also been making the media rounds. She spoke with NPR about the data-sharing incident and said the company will notify those affected once they figure out who was affected. 

Sandberg also said she believes the company did not violate its 2011 consent decree with the U.S. Federal Trade Commission. "I think we're very confident that that was in compliance with the FTC consent decree," she said. According to Bloomberg, however, a spokesperson later clarified that Sandberg was referring to the data collected about users' friends when 270,000 users shared data with a psychology quiz app. That data was later shared with Cambridge Analytica. 

But not everyone agrees with Sandberg. In a scathing blog post for the Harvard Law Review Blog, former FTC Bureau of Consumer Protection Director David Vladeck, who worked on the Facebook consent decree while at the Federal Trade Commission, suggested the company may have been a "venal" actor and now has three strikes against it. 

"I didn't think that Facebook fell into the 'venal' category when the FTC first investigated the company eight years ago," he wrote. "But Facebook's enabling of the Cambridge Analytica campaign suggests that I may have been wrong. Facebook is now a serial offender." 

Vladeck contends that this is the third strike against the company: The 2007 Beacon incident being the first; the 2009 incident that brought the 2011 consent decree being the second. 

"Facebook can't claim to be clueless about how this happened," he said. "The FTC consent decree put Facebook on notice. All of Facebook's actions were calculated and deliberate, integral to the company's business model, and at odds with the company's claims about privacy and its corporate values." 

As a result, Vladeck contends, "The better approach would be for Facebook to acknowledge that it violated the consent decree and to come to the FTC with specific proposals for serious and enduring reform." He suggests the company should have systems in place to prevent third parties from accessing user data without robust controls and clear notice when a third party does want access. He also says Facebook must build accountability systems to demonstrate user consent and develop controls to audit third parties when they do access user data, as well as provide remedies when enforcement is needed. 

To the public, Vladeck says Facebook should appoint a "data ombudsperson" and create an independent group "outside the company that have unfettered access to Facebook data and employees to ensure that Facebook is now, finally, honoring its commitments to users, and this group should periodically report its findings on Facebook's compliance." 

The Cambridge Analytica revelations are not the only issues affecting Facebook this week, either. The Electronic Privacy Information Center, in conjunction with several other consumer groups, said they will file papers asking the FTC to investigate Facebook's facial recognition technology. EPIC Executive Director Marc Rotenberg said, "The problem is that the people Facebook is trying to 'tag' did not consent to being identified." 

In response, Facebook Deputy Chief Privacy Officer Rob Sherman said, "Our face recognition technology helps people manage their identity on Facebook and makes our features work better for people who are visually impaired." 

CNBC also reports that Facebook was in talks with a number of top hospitals and other medical groups proposing they share anonymized data about patients with the company. Facebook had intended the information be used to help hospitals identify which patients need special care or medical treatment. A Facebook spokesperson said, "This work has not progressed past the planning phases, and we have not received, shared, or analyzed anyone's data." 

Next week, Zuckerberg will testify on Capitol Hill about the Cambridge Analytica revelations. Meanwhile, countries across the world, including Canada, the U.K., Australia, New Zealand, China and Indonesia are either monitoring the Facebook situation or launching investigations into Facebook's data-sharing practices. 

photo credit: stockcatalog Facebook via photopin (license)

1 Comment

If you want to comment on this post, you need to login.

  • comment Manu Goel • Apr 9, 2018
    With all this Facebook fiasco, this should be an eye opener for data collectors/processors who hide behind consent to justify collection and use of personal information. It is probably to do with how we in US look at privacy I think. 
    IAPP publishes a lot of good content and I am an avid reader. One other service that doesnt sit well with me is the HireVue video interview service. Has anybody covered it so far? Here is their "Terms and Conditions" that a candidate has to agree with before proceeding(they call it voluntary):
    I understand that through my use of the HireVue service, I will be participating in a video job interview and/or otherwise creating audio/video materials for the purpose of a possible employment opportunity or other business relationship with one of the companies in the  I understand that HireVue, Inc. (“HireVue”) is making the HireVue service available to me for such purposes, and that HireVue is not affiliated with .
    By using the HireVue service, I acknowledge and agree that:
    •	the video interviews in which I participate through my use of the HireVue service will be recorded (audio and video) and I consent to such recordings being made;
    •	with regard to any other audio/video materials that I prepare (or participate in the preparation of) through my use of the HireVue service, I understand that those materials will include audio and/or video recordings of me and I consent to such recordings being made;
    •	all such recordings and other audio/video materials are and shall be the property of , and may, among other things, be used, copied, stored and processed by , HireVue and their respective service providers in any locations worldwide for ’s business purposes;
    •	in furtherance of the foregoing, I hereby irrevocably grant, transfer and assign, and agree to grant, transfer and assign, to  all rights, title and interest in such recordings and other audio/video materials;
    •	 intends for the HireVue service to be used only by persons in the United States of America; and therefore I will not use the HireVue service in connection with a possible employment opportunity or other business relationship  while I am located outside of the United States of America;
    •	HireVue’s privacy policy (a copy of which is available at applies when I am using the HireVue service or otherwise interacting with any HireVue website;
    •	to the maximum extent permitted by law, I hereby waive my right to make any claim or demand or bring any causes of action against  or HireVue arising out of or in connection with my use of the HireVue service or the use of any recordings or other audio/video materials prepared through my use of the HireVue service (including for the purposes of employment screening), and I hereby release and discharge , HireVue and each of their respective affiliates from all claims, causes of action, and demands arising out of or in connection with the foregoing;
    •	I have voluntarily agreed to participate in interviews conducted through the use of the HireVue service;
    •	the terms set forth herein set forth the entire and complete agreement by me concerning matters related to my use of the HireVue service and to the recordings and other audio/video materials associated with my use of the HireVue service.
    Please indicate your acceptance of and agreement to the foregoing terms by clicking on the “I Agree” button below.
    Important: If you do not agree, exit the interview now and contact your recruitment representative.
    To proceed to the interview, Terms and Conditions must be accepted.