As numerous posts on Privacy News Online demonstrate, Facebook is one of the biggest problems for privacy around the world. That problem just became bigger, as the company’s market capitalization crossed the one trillion dollar mark for the first time, taking Facebook into the elite club whose other members are Amazon, Apple, Google, and Microsoft. Facebook’s surge in value was driven largely by a judge’s decision to throw out two antitrust cases against the company. That’s disappointing, because antitrust actions seemed to offer a new way to tame internet giants like Facebook, as this blog discussed last month. Although some think the antitrust approach might still be possible, others believe that not only antitrust but also content moderation tools will prove fruitless. Interestingly, the author of that pessimistic analysis, Siva Vaidhyanathan, sees privacy as perhaps the last hope:
[the GDPR] offers some potential to limit the power of big data vacuums like Facebook and Google. It should be studied closely, strengthened, and spread around the world. If the US Congress (and the parliaments of Canada, Australia, and India) would take citizens’ data rights more seriously than they do content regulation, there might be some hope.
Beyond the GDPR, an even more radical and useful approach would be to throttle Facebook’s (and any company’s) ability to track everything we do and say and limit the ways it can use our data to influence our social connections and political activities. We could limit the reach and power of Facebook without infringing speech rights. We could make Facebook matter less.
That’s very much what this blog has been advocating for the last few years now. The trouble is, even with the GDPR, progress has been slow. One important recent development has been the increasing interest in using the GDPR at a national level to police privacy infringements. That’s not how the GDPR was originally envisaged: instead, the “one-stop shop” approach was meant to encourage a “lead supervisory authority” in one EU country to handle the case in conjunction with data protection authorities in the other EU nations. Germany in particular seems keen to go it alone. Alongside that move by a national data protection authority, we now have another local action by Dutch citizens against Facebook claiming damages for allegedly infringing on their privacy. As a press release from the Dutch Consumentenbond (Consumers Association) explains (translation by DeepL):
The Consumers’ Association and the DPS accuse Facebook of collecting private data of its users and their Facebook friends for years. And made this data accessible to third parties without permission. The company made a lot of money with this.
Facebook users were also misled. The platform falsely promised that use would always be free. But users actually “paid” with their data. In this way, Facebook enriched itself unjustifiably and at the expense of its users.
Facebook had tried to get the case dismissed on the grounds that the Dutch court did not have jurisdiction, but the judge threw that argument out, allowing the case to go forward in October of this year. That’s a big win, because it potentially allows Facebook users to sue the company directly for harm to their privacy. If enough people around the EU did the same, this could have a major impact on Facebook’s actions.
The same is true of another important development, in Germany. Like the group action by Dutch users of Facebook, this latest move does not involve the usual data protection authorities. Instead, it has been instigated by the Federal Commissioner for Data Protection and Freedom of Information. One of the key roles of this post is to ensure that Germany’s public sector as a whole complies with the GDPR. Government use of social media is not something we’ve heard much about so far, but that might be about to change in the light of the Federal Commissioner’s letter to all federal German ministers and federal authorities.
In it, the Commissioner reminds German public authorities that “it is not currently possible to operate a Facebook fan page in compliance with data protection requirements”. The German government has been negotiating with Facebook in an attempt resolve this issue. But after two years of discussions, the Commissioner has had enough, and has come to the conclusion that the German public sector is still unable to meet their obligations under the GDPR if they have pages on Facebook. The Commissioner’s letter says (translation by DeepL):
In view of the ongoing violation of the protection of users’ personal data, it is not possible for me to wait any longer. If you operate a [Facebook] fan page, I therefore strongly recommend that you switch it off by the end of this year.
Moreover, the letter notes that the Commissioner is currently auditing the apps of Instagram, TikTok and Clubhouse from a privacy point of view. Already, the initial results show that there are “deficits here in terms of data protection law.” The Commissioner therefore recommends that those working in the German public sector should not use these apps on official devices “for the time being”.
Finally, the Commissioner points out “The public agencies of the Federal Government, which are particularly bound by law, have a role model function with regard to compliance with data protection law.” That’s also the case beyond Germany: it is likely that government departments in other EU countries might take notice and follow suit. If that happens, it would represent a new and very powerful signal to Facebook to strengthen its data protection practices.
Featured image by PietG.