Anyone who uses Facebook will know of Mark Zuckerberg’s promise that “it’s free, and it always will be”. Most people will have also wondered how Facebook makes its money, and many people will be aware that it does so by selling customer data. The conflict between GDPR and social media will always be an issue.
However, few people will be aware of the extent to which Facebook mines their personal details, and fewer still will be aware of the risk this has posed to the security of their data in the past and how it may still be misused.
How does Facebook harvest data?
Let’s face it, people often overshare on Facebook. People want their friends and family to know what they’re up to, how they’re feeling, where they are, and who they’re with. However, they often make the mistake of forgetting who will ultimately see that information.
When new users signed up with Facebook before May 2018, they had to voluntarily opt-out if they didn’t want Facebook holding certain types of data, and this meant that unless you positively checked a box to say you didn’t want them to hold certain types of information, they could. Furthermore, once they’d passed it to various third parties, Facebook was no longer responsible for how said information was subsequently used.
Facebook can gain a great deal of information from users: They know a user’s name, address, the type of devices they use, their location, the apps they’ve installed, the nature and amount of any purchases made through Facebook, and they have access to your contacts and installed apps. Prior to 2018, Facebook didn’t have to ask explicit permission to hold this data; it was sufficient that users simply did not check the box to object.
Facebook and the data breach
Under previous data protection regulations, advertising businesses could buy users’ data to build up a picture of their income, location, spending habits, interests, and socioeconomic status without explicit consent. This changed in 2017 when the Cambridge Analytica scandal broke.
The British company had obtained permission from certain Facebook users to take part in a paid survey through an app, but this app used was able to ‘scrape’ not only the sensitive personal data of participants but their Facebook contacts as well. This was then used to influence votes in both the US and UK. While the fine in the US was a massive $5 billion, the UK Information Commissioner’s Office (ICO) was only able to levy the maximum penalty of £500,000.
As a result, new European legislation was drafted to replace existing data protection legislation: the General Data Protection Regulations (GDPR) 2020.
The differences between the GDPR and the Data Protection Act
The primary difference between the old legislation and the new consists of being able to satisfy point (a) of Article 6 of the GDPR that: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
What this means in practice is that Facebook can no longer rely on implicit permission for user data to be processed. In order to sign up to Facebook and create an account, users have to check boxes to give explicit permission for access to data such as phone contacts and apps. Furthermore, Facebook has to provide users with an option to review any data they hold on them. As a data processor, Facebook could be subject to a fine of up to €20 million, or 4% of its worldwide turnover, (whichever is greater) if it’s found to have breached the GDPR.
So, is my data now safe with Facebook?
Facebook was found to be in serious and flagrant breach of previous data protection legislation, and it took three years of tenacious investigative journalism before the facts became known to the authorities, so who can say it won’t happen again?
Also, although Facebook is bound to the GDPR in the EU and its protections extend to all EU users, and although it has agreed to follow the template of the GDPR in the US, this is not legally binding, and its promises are hard to nail down.
Not only that, soon after the introduction of the GDPR, it faced investigation for yet more data breaches.
While the size of any potential fine should provide a strong deterrent to any further infractions, it relies on a uthorities being able to identify and investigate any potential occurrences. What’s more, Facebook is so profitable, it is unlikely any fine will be enough of a deterrent.
Furthermore, despite Facebook’s apparent cooperation, it is still run as a profitable business enterprise. While users have to check boxes to give explicit permission for Facebook to access certain data, the consent flow is designed so that hitting the ‘accept’ button provides the path of least resistance to getting started. Furthermore, anyone using the “manage data setting” button to withdraw permissions that they have already given Facebook will be taken through an interstitial that presents Facebook’s argument against denying their access to sensitive personal information.
In short, it’s designed to encourage users to say ‘yes’ to everything.
And that’s before we get to easily-available information: Facebook is currently embroiled in a dispute with a company called Clearwater AI that is using Facebook users’ profile pictures to build a database of images for its facial recognition software. While Facebook claims it’s a breach of their policies, Clearwater is claiming fair usage due to the fact that the images are freely available.
To summarise, while the GDPR has gone some way to giving users of social media an element of control, it’s limited in that they can only control what Facebook has, not what they’ve passed on to others, and it’s fairly difficult to resist Facebook’s efforts to gather the data that they want.
Should I find out what Facebook has on me?
Absolutely. You may be shocked at the amount of data they hold, and how intimately they know you.
Data includes:
- Pages you view, both on and off the Facebook platform
- Device data including operating system and hardware
- Network and connections such as mobile operator and IP addresses
- Locational data and people nearby.
A full list of exactly what data Facebook collects about you can be found here.
Once you know, you are in a position to request they delete any information that you don’t want them to have. Once you do this, they need to remove it from your visible profile and delete it completely within 30 days.
However, Facebook doesn’t make this easy. There are many new online services appearing in recent years to help users get access to their rightfully owned data.