The Oct. 26 announcement by the UK’s information commissioner that Facebook will be fined £500,000 ($644,000 US) is only the first step in what looks to be a series of fines that the social network will face for failing to protect the privacy of its users. While the monetary hit amounts to little more than lunch money for Facebook, it does show the company that Europeans are serious about privacy rules.
Facebook will likely receive a larger reminder at the hands of European Union regulators once a lawsuit filed in Austria reaches resolution. That action could result in fines of as much as $1.63 billion for violating the protections of the EU’s General Data Protection Regulation (GDPR) because of a data breach last year. One of the issues involving that breach is whether Facebook notified EU regulators properly within 72 hours as required by the law.
Ireland’s Data Privacy Commission, which handles Facebook’s privacy issues within the EU, has complained that the notification to regulators lacked sufficient detail, even though it was received within the required timeframe. Exactly what level of fine, if any, Facebook will actually suffer remains to be seen.
But Facebook isn’t out of the woods. The European Commission, which is Europe’s executive branch, wants Facebook to clean up its terms of service or face sanctions. It’s also requiring Facebook to do a better job of explaining what it does with user data. In Germany, meanwhile, Facebook is facing charges that it’s abusing its dominant status by not letting users consent freely to those terms of service.
The argument there is that users are presented with long, often incomprehensible, terms of service that must be agreed to or the user can’t actually use Facebook. Facebook is arguing that those terms of service are a contractual necessity, and that claim is also under investigation in Europe.
Meanwhile, back in Washington, Facebook has been called before Congress to explain its privacy practices and what it does with user data. In August, Sen. Mark Warner, D-Va., told eWEEK that Congress needs to start considering legislation that would require Facebook and other social media companies to explain what they’re doing with user data, and to protect it from misuse. On Oct. 24, Apple CEO Tim Cook told European regulators that the U.S. needs privacy regulations similar to the GDPR.
For Facebook, none of this is good news. The social network exists in a sea of user data. It is Facebook’s raison d’etre. Providing targeted data of its users to advertisers and others is how Facebook makes money. The more data it has, the more money it can make.
While Facebook no longer sells its user data, it can provide targeted access that’s highly precise. This means that if you want to sell your brand of bubble gum only to young while males born between Jan. 1 and April 15, 2002, who love video games, you can do it.
But to do this, Facebook needs to accumulate all of this data, which it does by asking its users to fill out profile information. But it also gets other information from what those users post about themselves, the things that interest them and who their friends are.
The amount of information that Facebook maintains on each of its users is truly immense, and while you can find out what’s there, it’s pretty hard if not impossible to be forgotten by Facebook.
The belief in Europe, and increasingly in the U.S., is that if Facebook must retain such information, then it needs to fully inform its users and it needs to give that data extraordinary levels of protection. So far, it’s done neither.
A Costly Problem That Will Only Get Worse
And that’s a problem. Worse, it may be a problem that Facebook isn’t equipped to handle. When it first started as a way for college students to meet each other, not much was required. Everybody was a student, Facebook wasn’t meant to be a business, and breaches were few.
The world has changed, but Facebook hasn’t kept up. These days many people don’t want their personal information being used to enrich a faceless corporation, they don’t want the risks that go with having your private data exposed for the world to see, and they want control over what gets used and what doesn’t.
Facebook may eventually have to learn to deal with this the hard way. Europe has begun laying out what that hard way is, and it’s measured in billions of dollars. If Congress passes legislation that puts some teeth into privacy rules, then Facebook may find another hard way. Perhaps that will get the company to focus on protecting users the way it should.
In the meantime, the best you can do is to get Facebook to send you the information it has on you and then get rid of items you don’t want to be public. You can also control this by not providing information in the first place.
The fact is that you can’t depend on Facebook, or any other social network, to protect your data. You have to do it yourself.