A KU Leuven report commissioned by the Belgian Data Protection Authority (DPA) on Facebook’s data collection practices, released in two parts, first in February and then just this past week, has created a great deal of attention. On Tuesday, The Guardian ran a story with the headline, “Facebook ‘Tracks all Visitors, Breaching EU Law’.” On Wednesday, the BBC followed up with “Facebook Hits Back at Data Use Privacy Criticisms.”
However, it’s possible the biggest news created by the reports has yet to land.
The IAPP has learned that the Article 29 Working Party (WP29) Technology Subgroup will discuss the report and Facebook’s terms of service at its next meeting, April 14-15, with the Dutch acting as rapporteur, joined by the Germans and Belgians. (The IAPP is working to get official confirmation of this from France's DPA, the CNIL, which chairs the WP29.)
Further, The Wall Street Journal (WSJ) reports that the French, Spanish and Italian DPAs have initiated investigations, with the CNIL’s Mathias Moulin telling the WSJ: “We are showing a united front before a global actor. It’s time for us to focus on Facebook.”
The Dutch DPA's press office would not confirm the WSJ report directly, but said, “There is a contact group in which several DPAs share information” regarding Facebook’s terms of service.
Finally, the report has also triggered a parliamentary question submitted by Belgian MEP Kathleen Van Brempt, vice chair of the Progressive Alliance of Socialists and Democrats. These parliamentary questions are a way for the EU Parliament to ask for written answers from the European Commission, and the commission must reply within eight weeks of the asking.
In this case, the question references the KU Leuven report, calling it “very alarming,” and asks pointed questions of the commission, including whether it intends to investigate Facebook directly.
However, the commission doesn’t have investigatory powers of this sort, and the European Data Protection Supervisor’s office said that any investigation of Facebook’s practices in the EU would be handled by the various member state DPAs, under the umbrella of the WP29.
For Facebook's part, a company spokesperson told the IAPP the company found a great deal of fault and inaccuracy with the KU Leuven report but, more specifically, said the company would have liked a chance to participate in the report and its findings.
“We’re disappointed,” said the spokesperson, “that the authors of this opinion and the Belgian DPA … have declined to meet with us or clarify the inaccurate information about this and other topics. We remain willing to engage with them and hope they will be prepared to correct their work in due course.”
Perhaps they’ll get that opportunity following the WP29’s next meeting.
“We’re confident,” the Facebook spokesperson said, “we are operating within the law and the EU Data Protection Directive.”
If you want to comment on this post, you need to login.