europe-v-facebook.org

Legal Procedure against “Facebook Ireland Limited”

For years the shortcomings of Facebook’s privacy practice have been discussed, thought and talked about. Besides a couple of individual law suits there have been almost no consequences. Oftentimes we read that Facebook is a US company and therefore we cannot do too much within Europe. Are you sure?

“If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.”

(Facebook’s Terms, Chapter 18. ”Other”)

Ireland. Presumably for benefiting from tax advantages Facebook is running an Irish Company.This does not only mean that facebook is saving a lot of money but that Irish and European data protection and consumer law applies.

Irish Authority. The “Data Protection Commissioner” (DPC) [Picture] is the responsible Authority for all data use of Facebook Ireland Ltd. We therefore filed 22 complaints with the Irish DPC. According to the European data protection directive the Republic of Ireland is obligated to sufficiently prosecute any breach of the principles set down in the directive. So far the DPC has only undertaken a non-binding “best practice” audit.

22 Complaints. The major benefit of a Complaint in contrast to a law suit, is that it is only initiating an two-party proceeding by the Irish DPC. We have decided to split the problems into small and individual complaints in order to have a better overview. It is up to the Irish Data Protection Commissioner to decide if the Complaints are justified, so far the DPC has tried everything to avoid a binding legal decision.

Non-binding Audit. In a first report the Irish DPC has listed numerous measurements Facebook has to comply with in order to improve its compliance with the Irish and European law. At the same this first report does not consider many issues we raised, lacks a sound legal reasoning and is non-binding.
Therefore we think that the non-binding “audit” brought Facebook in line with maybe 10% of the EU laws. We are right now continuing our fight for the other 90% and for legally binding decisions on all 22 complaints.

Transparency. All Complaints, answers and letters will be published here. For strategic reasons and reasons of privacy, certain parts must be edited out or cannot be published at all.

Procedure against “Facebook Ireland Ltd.”

1. Complaints against Facebook (August and September 2011)
01	18-AUG-2011	Pokes. Pokes are kept even after the user “removes” them.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
02	18-AUG-2011	Shadow Profiles. Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
03	18-AUG-2011	Tagging. Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out). Info: Facebook announced changes.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
04	18-AUG-2011	Synchronizing. Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
05	18-AUG-2011	Deleted Postings. Postings that have been deleted showed up in the set of data that was received from Facebook.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
06	18-AUG-2011	Postings on other Users’ Pages. Users cannot see the settings under which content is distributed that they post on other’s pages.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
07	18-AUG-2011	Messages. Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
08	18-AUG-2011	Privacy Policy and Consent. The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
09	18-AUG-2011	Face Recognition. The new face recognition feature is an inproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
10	18-AUG-2011	Access Request. Access Requests have not been answered fully. Many categories of information are missing.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
11	18-AUG-2011	Deleted Tags. Tags that were “removed” by the user, are only deactivated but saved by Facebook.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
12	18-AUG-2011	Data Security. In its terms, Facebook says that it does not guarantee any level of data security.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
13	18-AUG-2011	Applications. Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
14	18-AUG-2011	Deleted Friends. All removed friends are stored by Facebook.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
15	18-AUG-2011	Excessive processing of Data. Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal “excessive processing”.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
16	18-AUG-2011	Opt-Out. Facebook is running an opt-out system instead of an opt-in system, which is required by European law.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
	24-AUG-2011	Letter from the Irish DPC.		Letter (PDF)
	15-SEPT-2011	Letter to the Irish DPC concerning the new privacy policy and new settings on Facebook.		Letter (PDF)
17	19-SEPT-2011	Like Button. The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
18	19-SEPT-2011	Obligations as Processor. Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
19	19-SEPT-2011	Picture Privacy Settings. The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
20	19-SEPT-2011	Deleted Pictures. Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
21	19-SEPT-2011	Groups. Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
22	19-SEPT-2011	New Policies. The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)

2. First Report by the Irish Authority (December 2011)
	21-DEZ-2011	First Report by the Irish Data Protection Commission This first report is based on our complaints, but is a proceeding that ran parallel to our complaints. The report is therefor not a final decision for our complaints. The appendix is including some technical background information as well as other additional information. There is also a press release by the DPC and a first comment by Facebook available.	Published	Report (PDF) Appendix (PDF) First Responses: europe-v-facebook.org (PDF) Irish DPC (PDF) Comment by Facebook (Link)
		Our Reaction After studying the report in depth we told the DPC in January 2012 that we do not think that this first report will resolve all issues that were brought before it. Things that are suggested as “best practice” are not even meeting the minimal standard of European data protection law. A solid legal argumentation is missing and the DPC did by far not address all issues that were included in our complaints.	No satisfying response	e-mails of Jan 2012 (PDF)

3. Negotiations with Facebook in Vienna (February 2012)
	05-FEB-2012	Facebook’s letter in preparation on our Meeting in Vienna In order to have a more effective meeting in Vienna we asked Facebook to send us a written summary of all arguments against our complaints. Instead of arguemtns we got a summary of the Irish report.	No satisfying response	FB’s summary of the Irish report (PDF)
	06-FEB-2012	Direct Meeting with Facebook in Vienna According to the Irish Data Protection Act there should be an “amicable solution” between the two parties. Therefore we have had a meeting with Facebook in Vienna, Austria. In order to guarantee as much transparency as possible we have published a “summary of arguments”.	Published	Summary of Arguments (PDF) Press Information (evf): Ahead of the meeting (PDF) Following the meeting (PDF) Press conference (YouTube)
	09-MAR-2012	“Follow Up” by Facebook Following our meeting in Vienna FB was pledging that we will get different missing information in a “Follow Up” document. FB was breaching this pledge and gave us even less information that in the meeting. The table of “all” data categories is a copy of the pages in the Irish report. According to FB this was all the legal team was “comfortable sharing”.	No satisfying response	Follow Up (PDF) Table of Data (PDF)

4. Facebook’s new privacy policy (May/June 2012)
		Because of our complaints Facebook has made many little changes. The biggest change was, that Facebook has proposed a new worldwide privacy policy. Unfortunately they did not stop their illegal forms of data processing but simply wrote them into the policy, which made the new policy worse than the old one. We started www.our-policy.org and managed that Facebook had to have a worldwide vote on the new policy. But because Facebook has hidden the vote really well it did not make the necessary quorum to be binding, despite 87% voting against the changes.		More Information: www.our-policy.org Site Governance Page (FB)

5. Irish ODPC stops communicating with us, despite ongoing procedure (July 2012)
	30-JUL-2012	After we have tried to get access to files, evidence and the arguments by Facebook in three rounds, starting in January 2012, the ODPC has stopped communicating with us - by sending a text message. We have then published the internal struggle we had with the ODPC when trying to get the most basic files about our own case. We were even denied the arguments Facebook has deployed against us. So far we were not informed about the reason why the ODPC is not talking to us anymore.	Published	Round 1: Letters of Jan 2012 Round 2: Letters of Mar/Apr 2012 Round 3: Letters of Jul 2012 (incl. text messages)

6. Review by the Irish Authority (September 2012)
	21-SEPT-2012	In September 2012 the Irish ODPC has checked if Facebook has implemented the non-binding suggestions from the December 2011 Report (see above). The result was that Facebook has implemented “most” of the suggestions, but that it got again additional time to implement the rest.	Published	Review (PDF) (incl. Section by Facebook and “FTR Solutions”) Recording of the ODPC’s press conference (MP3) Part concerning #evf (MP3)

7. Our Response of the “Audit” (December 2012)
	4-DEC-2012	We were asked by the ODPC to submit our view of the “audit” procedure. On more than 70 pages we have showed that the “Audit” has lead to many steps in the right direction, but was unable to solve any of the complaints. In many cases we had to find out that the ODPC did not properly investigate. In some cases the ODPC blindly followed the claims by Facebook, without verification. The question of access to files, evidence and arguments was addressed again.	Rejected / Ignored	Our Response (PDF) Media Update(PDF)
		At the same time Facebook has announced that it is getting rid of the voting mechanism for policy changes and updated its policy for the third time during this procedure.
		We have started “crowd4privacy.org” to collect the necessary funds for a possible legal action against a formal decision by the ODPC.
	7-DEC-2012	Irish ODPC ignores our response. Despite the previous request by the ODPC to indicate our view on the “review” the ODPC has decided “not to comment” our 70 page response. All requests in the document were ignored. It is unclear if this means that our requests were formally rejected or simply not processed. We did also not get any access to the requested files or evidence. The ODPC has asked us to make a request for a formal decision without providing us with the necessary files, responses and answers.		e-mails (PDF)
	14-JAN-2013	Facebook is rejecting “amicable resolution”. The Irish law requires the parties of a complaints procedure to try to find an “amicable resolution”. Since the meeting in February 2012 in Vienna was not leading to any movement by Facebook and the promised documents were never delivered by Facebook we have made a last attempt to find such a solution. Facebook has rejected to engage in such a process.		Letter from Facebook (PDF)

*8. Request for a formal Decision*
		We will soon file requests for a formal, binding decision by the DPC. Since we do not get access to any of the files we were so far unable to drop any complaints. Only after requesting a formal decision the DPC will (for the first time in the procedure) issue a legally binding decision in respect to our complaints.

*9. Formal Decision by the Irish Authority*
		After we and Facebook made our comments to a “draft decision” the Irish DPC will issue the final decision. If we (or Facebook) is unhappy with this formal decision we can appeal it at an Irish court.

*10. Possible legal action against final decisions, if not complaint with EU law.*
		Currently we have to expect that the Irish DPC will not fully enforce Irish and EU law. We are determined to appeal any decission that is not in line with the law. The legal costs for this are estimated to amount to about €300.000. We have already started a crowd funding page at www.crowd4privacy.org to get the necessary funds.