1. Complaints against Facebook (August and September 2011)
|
01
|
18-AUG-2011
|
Pokes. Pokes are kept even after the user “removes” them.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
02
|
18-AUG-2011
|
Shadow Profiles (Big Data). Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
03
|
18-AUG-2011
|
Tagging. Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out). Info: Facebook announced changes.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
04
|
18-AUG-2011
|
Synchronizing. Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
05
|
18-AUG-2011
|
Deleted Postings. Postings that have been deleted showed up in the set of data that was received from Facebook.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
06
|
18-AUG-2011
|
Postings on other Users’ Pages. Users cannot see the settings under which content is distributed that they post on other’s pages.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
07
|
18-AUG-2011
|
Messages. Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
08
|
18-AUG-2011
|
Privacy Policy and Consent. The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
09
|
18-AUG-2011
|
Face Recognition. The new face recognition feature is an inproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
10
|
18-AUG-2011
|
Access Request. Access Requests have not been answered fully. Many categories of information are missing.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
11
|
18-AUG-2011
|
Deleted Tags. Tags that were “removed” by the user, are only deactivated but saved by Facebook.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
12
|
18-AUG-2011
|
Data Security. In its terms, Facebook says that it does not guarantee any level of data security.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
13
|
18-AUG-2011
|
Applications. Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
14
|
18-AUG-2011
|
Deleted Friends. All removed friends are stored by Facebook.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
15
|
18-AUG-2011
|
Excessive processing of Data. Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal “excessive processing”.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
16
|
18-AUG-2011
|
Opt-Out. Facebook is running an opt-out system instead of an opt-in system, which is required by European law.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
|
24-AUG-2011
|
Letter from the Irish DPC.
|
|
Letter (PDF)
|
|
15-SEPT-2011
|
Letter to the Irish DPC concerning the new privacy policy and new settings on Facebook.
|
|
Letter (PDF)
|
17
|
19-SEPT-2011
|
Like Button. The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
18
|
19-SEPT-2011
|
Obligations as Processor. Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
19
|
19-SEPT-2011
|
Picture Privacy Settings. The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
20
|
19-SEPT-2011
|
Deleted Pictures. Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
21
|
19-SEPT-2011
|
Groups. Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
22
|
19-SEPT-2011
|
New Policies. The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.
|
Filed with the Irish DPC
|
Complaint (PDF) Attachments (ZIP)
|
23
|
26-JUN-2013
|
PRISM Facebook Ireland is forwarding data to the NSA (via Facebook USA). Export of data is only allowed if there is an “adequate protection”.
|
Refused by the Irish DPC
|
Complaint (PDF)
|
|
|
|
|
|
2. First Report by the Irish Authority (December 2011)
|
|
21-DEZ-2011
|
First Report by the Irish Data Protection Commission This first report is based on our complaints, but is a proceeding that ran parallel to our complaints. The report is therefor not a final decision for our complaints. The appendix is including some technical background information as well as other additional information. There is also a press release by the DPC and a first comment by Facebook available.
|
Published
|
Report (PDF) Appendix (PDF)
First Responses: europe-v-facebook.org (PDF) Irish DPC (PDF) Comment by Facebook (Link)
|
|
|
Our Reaction After studying the report in depth we told the DPC in January 2012 that we do not think that this first report will resolve all issues that were brought before it. Things that are suggested as “best practice” are not even meeting the minimal standard of European data protection law. A solid legal argumentation is missing and the DPC did by far not address all issues that were included in our complaints.
|
No satisfying response
|
e-mails of Jan 2012 (PDF)
|
|
|
|
|
|
3. Negotiations with Facebook in Vienna (February 2012)
|
|
05-FEB-2012
|
Facebook’s letter in preparation on our Meeting in Vienna In order to have a more effective meeting in Vienna we asked Facebook to send us a written summary of all arguments against our complaints. Instead of arguemtns we got a summary of the Irish report.
|
No satisfying response
|
FB’s summary of the Irish report (PDF)
|
|
06-FEB-2012
|
Direct Meeting with Facebook in Vienna According to the Irish Data Protection Act there should be an “amicable solution” between the two parties. Therefore we have had a meeting with Facebook in Vienna, Austria. In order to guarantee as much transparency as possible we have published a “summary of arguments”.
|
Published
|
Summary of Arguments (PDF)
Press Information (evf): Ahead of the meeting (PDF) Following the meeting (PDF) Press conference (YouTube)
|
|
09-MAR-2012
|
“Follow Up” by Facebook Following our meeting in Vienna FB was pledging that we will get different missing information in a “Follow Up” document. FB was breaching this pledge and gave us even less information that in the meeting. The table of “all” data categories is a copy of the pages in the Irish report. According to FB this was all the legal team was “comfortable sharing”.
|
No satisfying response
|
Follow Up (PDF) Table of Data (PDF)
|
|
|
|
|
|
4. Facebook’s new privacy policy (May/June 2012)
|
|
|
Because of our complaints Facebook has made many little changes. The biggest change was, that Facebook has proposed a new worldwide privacy policy. Unfortunately they did not stop their illegal forms of data processing but simply wrote them into the policy, which made the new policy worse than the old one. We started www.our-policy.org and managed that Facebook had to have a worldwide vote on the new policy. But because Facebook has hidden the vote really well it did not make the necessary quorum to be binding, despite 87% voting against the changes.
|
|
More Information: www.our-policy.org Site Governance Page (FB)
|
|
|
|
|
|
5. Irish ODPC stops communicating with us, despite ongoing procedure (July 2012)
|
|
30-JUL-2012
|
After we have tried to get access to files, evidence and the arguments by Facebook in three rounds, starting in January 2012, the ODPC has stopped communicating with us - by sending a text message. We have then published the internal struggle we had with the ODPC when trying to get the most basic files about our own case. We were even denied the arguments Facebook has deployed against us. So far we were not informed about the reason why the ODPC is not talking to us anymore.
|
Published
|
Round 1: Letters of Jan 2012
Round 2: Letters of Mar/Apr 2012
Round 3: Letters of Jul 2012 (incl. text messages)
|
|
|
|
|
|
6. Review by the Irish Authority (September 2012)
|
|
21-SEPT-2012
|
In September 2012 the Irish ODPC has checked if Facebook has implemented the non-binding suggestions from the December 2011 Report (see above). The result was that Facebook has implemented “most” of the suggestions, but that it got again additional time to implement the rest.
|
Published
|
Review (PDF) (incl. Section by Facebook and “FTR Solutions”)
Recording of the ODPC’s press conference (MP3) Part concerning #evf (MP3)
|
|
|
|
|
|
7. Our Response of the “Audit” (December 2012)
|
|
4-DEC-2012
|
We were asked by the ODPC to submit our view of the “audit” procedure. On more than 70 pages we have showed that the “Audit” has lead to many steps in the right direction, but was unable to solve any of the complaints. In many cases we had to find out that the ODPC did not properly investigate. In some cases the ODPC blindly followed the claims by Facebook, without verification. The question of access to files, evidence and arguments was addressed again.
|
Rejected / Ignored
|
Our Response (PDF) Media Update(PDF)
|
|
|
At the same time Facebook has announced that it is getting rid of the voting mechanism for policy changes and updated its policy for the third time during this procedure.
|
|
|
|
|
We have started “crowd4privacy.org” to collect the necessary funds for a possible legal action against a formal decision by the ODPC.
|
|
|
|
7-DEC-2012
|
Irish ODPC ignores our response. Despite the previous request by the ODPC to indicate our view on the “review” the ODPC has decided “not to comment” our 70 page response. All requests in the document were ignored. It is unclear if this means that our requests were formally rejected or simply not processed. We did also not get any access to the requested files or evidence. The ODPC has asked us to make a request for a formal decision without providing us with the necessary files, responses and answers.
|
|
e-mails (PDF)
|
|
14-JAN-2013
|
Facebook is rejecting “amicable resolution”. The Irish law requires the parties of a complaints procedure to try to find an “amicable resolution”. Since the meeting in February 2012 in Vienna was not leading to any movement by Facebook and the promised documents were never delivered by Facebook we have made a last attempt to find such a solution. Facebook has rejected to engage in such a process.
|
|
Letter from Facebook (PDF)
|
8. PRISM complaint turned down / Deadline for remaining 22 Complaints
|
|
25-JUL-2013
|
PRISM Complaint not investigated The DPC has refused to take any decision on the “PRISM” complaints, saying that the EU has “envisioned” the use by the NSA when making the “Safe Harbor” decision in 2000. Therefore there is “nothing to investigate”.
|
|
Letters from the DPC (PDF)
|
|
8-AUG-2013
|
Sudden Deadline for remaining 22 Complaints In a letter the DPC has suddenly given us a deadline until the 30th of August to make a “request for a decision” otherwise the DPC would simply make a decision without a request for it. The reason given: The DPC fears reputational damage from the ongoing complaint. We are still refused access to any parts of the procedure (evidence, arguments, files).
|
|
Letters from the DPC (PDF)
|
|
|
|
|
|
9. Request for a formal Decision
|
|
28-AUG-2013
|
After the DPC has forced us to make a “request” we have filed an involuntary 150 page request, summarizing all 22 complaints and the reaction by Facebook and the DPC. In all cases we see the original complaints to be justified. Only in in some cases we could see an improvement throught the “audit” procedure.
|
|
Request (PDF)
|
|
|
|
|
|
10. First written Response from Facebook
|
|
30-SEPT-2013
|
For more than two years we have tried to get the arguments from Facebook. The Irish DPC has so far refused to grant us access to any arguments.
Now we have surprisingly received more than 200 paged of “arguments”. Unfortunately Facebook is in most cases not dealing with the core of our complaints but responded with arguments that seem to irrelevant for out complaints. In many cases Facebook “reinterprets” our complaints before it is answering them in ways that are illegitimate. Facebook does in no way take a legal position. The law is not mentioned with a single word. On the factual level Facebook is mainly referring back to the “audit”. All evidence is still missing, but we are still happy to be able to publish these documents now.
To get a full picture we highly recommend to compare Facebook’s response to our “request for a formal decision” (see above).
|
01 Pokes 02 Shadow Profiles (Big Data) 03 & 11 Tags & Deletion of Tags 04 Synchronizing 05 Deleted Postings 06 Postings on other Users’ Pages 07 Messages 08 & 16 Privacy Policy and Consent & Opt-Out 09 Facial Recognition 10 Access Requests 12 Data Security 13 Apps 14 Deleted Friends 15 Excessive processing of Data 17 Like Button 18 Duties as Processor 19 & 20 Pictures Privacy Settings & Deleted Pictures 21 Groups 22 New Policies
|
|
31-OCT-2013
|
Response to Facebook’s Submission On about 30 pages we have summarized that the submission from Facebook is in many ways missing the point of the complaints and in most cases only a list of unprooven or even clearly false claims
|
|
Response (PDF)
|
|
|
|
|
|
11. End of the Procedure
|
|
31-JUL-2014
|
After almost three years we have taken back all initial 22 complaints with the Irish DPC against Facebook on July 31st 2014.
This decision was based on the fact that the Irish DPC has refused a formal decision for years and has not even granted the most basic procedural rights (access to files, evidence or the counterarguments). The DPC has factually stopped all forms of communication and ignored all submissions made. Many observers assumed that this may be based on political and economic considerations in Ireland.
From a purely legal perspective our Irish lawyer has advised us to file a number of lawsuits against the Irish DPC, but fighting the large number of issues before the Irish courts is unfeasible. Such a procedure is neither financially (multiple € 100.000) nor time wise (multiple years and countless flights to Ireland) possible for a consumer. This became obvious during our “Judicial Review” procedure in the “PRISM” case. The procedure in relation to this single complaint will likely take 2 to 3 years and the financial risk could have reached multiple € 100.000.
The “PRISM complaint” is however still pursued and is funded by the separate NGO “europe-v-facebook.org” through previously collected donations.
|
|
|
|
|
|
|
|