Facebook’s data collection and tracking practices have come under increased scrutiny in Europe in recent years. There are concerns that some of Facebook’s practices, such as tracking users across the internet and combining data from different sources to build detailed user profiles, could be illegal under Europe’s strong privacy laws like the General Data Protection Regulation (GDPR).
What does Facebook track?
Facebook collects a huge amount of data about its users both on its platforms and across the internet. Some of the key things Facebook tracks include:
– User profile information – name, email, phone number, photos etc. This is provided by users when they sign up for an account.
– Posts, likes, shares, comments – any user activity on Facebook services is logged.
– Browsing history – Facebook uses cookies and pixel trackers to monitor what non-Facebook web pages users visit. This allows targeted ads to be shown.
– Location data – collected from users’ devices to provide location-based features and ads.
– Contacts/call logs – uploaded contact lists can be matched with Facebook profiles. Some apps access call and SMS logs.
– Facial recognition data – Facebook may identify users in photos based on face prints.
– Offline data – information collected from third-party data brokers can be matched to user profiles.
How does Facebook track users across the internet?
Facebook uses a number of technical methods to track users’ activity on non-Facebook sites and services:
– **Cookies** – Small text files placed on a user’s device that identify them across websites.
– **Pixel trackers** – Invisible pixels embedded in websites that notify Facebook when a user visits a page or performs an action.
– **Social plugins** – The Like and Share buttons on third party sites enable tracking even if not clicked.
– **Facebook SDK** – Developers integrate Facebook code into apps which enables data gathering.
– **Device fingerprinting** – Combining data points like device type and browser settings to identify users.
– **Partnerships** – Data sharing deals with third parties like data brokers provide additional info.
Examples of data Facebook collects
To illustrate the extent of Facebook’s non-Facebook tracking, here are some examples of data they may collect about a user:
– Visiting the website of a Facebook advertising partner
– Signing up for a service with an email address also used for Facebook login
– Using a shopping app that utilizes the Facebook SDK
– Clicking on an external news link shared by a Facebook friend
– Using a fitness tracker linked to the Facebook app
– Visiting a physical store that shares purchase data with Facebook
– Connecting with a Facebook friend who has your phone number in their contacts
Is Facebook’s tracking legal in Europe?
Facebook’s practices clearly involve large scale collection and aggregation of user data across websites and services. But are these practices actually illegal in Europe?
Relevant European privacy laws
The key laws and directives related to Facebook’s tracking activities in Europe include:
– **General Data Protection Regulation (GDPR)** – Comprehensive EU privacy law that sets strict requirements for processing personal data. In effect since 2018.
– **ePrivacy Directive** – Regulates privacy for electronic communications. Currently being updated to align with GDPR.
– **EU Tracking Directive** – Known as the ePrivacy Directive 2002/58/EC. Governs tracking technologies like cookies.
GDPR requirements
Some key GDPR principles and requirements relevant to Facebook tracking:
– **Lawful basis** – Must have valid legal ground (consent, contract, etc) to process data.
– **Consent** – Must be freely given, specific, informed and unambiguous.
– **Purpose limitation** – Data can only be collected for specified purposes.
– **Data minimization** – Data collected should be limited to what is necessary.
– **Transparency** – Must clearly disclose data collection purposes.
Does Facebook comply with GDPR?
There are differing views on whether Facebook meets GDPR standards:
– **Facebook’s view** – They believe their practices are GDPR compliant and provide users with transparency and control.
– **Critics’ view** – Facebook does not adequately obtain consent for tracking and combines data without a valid legal basis.
– **Regulators’ view** – Authorities like Ireland’s DPC are still investigating whether Facebook complies based on GDPR breach complaints.
Facebook tracking investigations and litigation
Facebook’s tracking practices are the subject of a number of major legal proceedings in Europe:
Irish DPC GDPR investigation
– Ireland’s Data Protection Commission is investigating whether Facebook meets transparency requirements under Articles 12-14 of the GDPR in relation to data processing for behavioral analysis and targeted advertising.
Belgian court order on tracking
– In February 2022 a Belgian court ordered Facebook to stop collecting user data for targeted ads without consent within three months or face fines. Facebook is appealing.
German antitrust order
– In 2019 Germany’s Federal Cartel Office ruled that Facebook abused its dominant position by making use of user data from third-party sources without consent. This was overturned on appeal.
Austrian class action lawsuit
– In 2018 class action group NOYB (led by Max Schrems) filed lawsuits in Austria and Belgium alleging Facebook coerces users to agree to terms of service that are illegal under GDPR. Ongoing.
| Investigation | Status |
|---|---|
| Irish DPC investigation | Ongoing |
| Belgian court order | Being appealed by Facebook |
| German antitrust case | Overturned on appeal |
| Austrian class action | Court proceedings ongoing |
Could Facebook face EU sanctions over tracking?
If authorities establish Facebook is systematically violating EU privacy laws, it could face significant consequences:
GDPR fines
– Under GDPR regulators can impose fines of up to 4% of annual global revenue for serious breaches – over $2 billion in Facebook’s case.
ePrivacy Directive penalties
– EU countries set their own penalties. Facebook could face country-specific tracking bans and fines.
Non-compliance orders
– Regulators could order Facebook to change or stop certain data processing activities until they comply.
Class action lawsuits
– Consumer rights groups could sue Facebook on behalf of users impacted by illegal tracking practices.
Reputational damage
– Regulatory sanctions or findings against Facebook could harm public trust in the brand.
Conclusion
Facebook’s extensive tracking and data collection practices clearly push the boundaries of user privacy. While Facebook maintains its methods are legal and compliant, European regulators and courts are actively investigating whether Facebook’s tracking violates EU laws like GDPR. If authorities establish systematic violations, Facebook faces substantial penalties, with GDPR fines potentially over $2 billion. Even without fines, injunctions to stop certain tracking practices could force changes to Facebook’s business model and impact the targeted advertising revenue it depends on. With EU regulators actively flexing their new powers under GDPR to defend user privacy, Facebook’s data harvesting in Europe looks set for tighter scrutiny and potential challenges in the coming years.