By Egzone Sulejmani*
Personal data offers a new source of revenue for social media websites that gather and process user data to sell to other companies for advertisement and marketing purposes.[1] Google is the most used search engine on the Web and Facebook is the largest social media website with more than two billion users worldwide.[2] UC Berkeley researcher Ibrahim Altaweel discovered that “Google’s tracking mechanisms cover 85 percent of the most popular websites [while] Facebook’s tracking reaches 55 percent of the most popular websites.”[3] In a recent report, the World Economic Forum goes as far as declaring that personal data might become “the new ‘oil’ – a valuable resource of the 21st century.”[4] This new digital phenomenon creates new privacy issues for both concerned individuals and the authorities attempting to create a legal framework to regulate the data industry.
As technology has become more integrated into daily life through the advent of smart devices, these websites have become an integral part of their users’ lives. However, people are not always aware of what they agree to when they use these websites.[5] The World Economic Forum reported in 2013 that “it would take the average person about 250 working hours every year or about 30 full working days to actually read the privacy policies of the websites they visit in a year.”[6] The privacy issues associated with these social media websites include: inadvertent disclosure of personal information, tracing and sourcing data through surveillance-like structures created by the host companies, and use of personal data by third-parties.[7]
This article focuses solely on Facebook and compares the United States and the European Union’s legal systems to determine if one is more effective for the protection of personal data. The main issue these systems attempt to address is users’ inadequate or complete lack of consent to obtaining and sharing their personal data.[8] Proponents of privacy protection and certain legal scholars argue that Facebook cannot claim informed consent from its users when most do not read, let alone understand, the terms they are “agreeing with.”[9] In response to this concern, the European Union requires explicit informed consent from users regarding personal data.[10] On the other hand, the United States has not yet exactly defined the legal framework regarding consent in personal data processing.[11] Due to the higher standard regarding user consent, the European Union framework offers more protection for unsuspecting users than the US framework.
Current situation of personal data protection
Professor Asuncion Esteve of the University of Barcelona, notes three principal privacy issues: (1) the lack of or inadequate consent from users to the procedure of obtaining and sharing personal data; (2) users’ inability to access and control their personal information; (3) and the risk of re-identifying anonymous personal data.[12] For example, according to empirical studies, Facebook users are often unaware of what they have authorized Facebook to do with their information by agreeing to the terms and conditions of the website.[13]
Because Facebook’s services are practically free of charge, more than two billion members use the website monthly as of June 2017, and its users post close to 300 million pictures per day.[14] The sheer number of Facebook users’ public posts create complex and widespread privacy issues. In an empirical study that surveyed 210 users, Finnish researchers found that most users, despite their beliefs, did not sufficiently understand Facebook’s privacy policy, and consequently disclosed a significant amount of personal data to both Facebook and third party applications.[15] The study illustrates users’ lack of understanding of the complicated terms of use and privacy policies and how Facebook may use their information in the future.[16] Because of the lack of clarity in user agreements, social media websites are allowed to profit from the sale and use of personal data even when they lack adequate consent from their users.
The personal data market and Facebook’s profit-driven structure pushed Facebook to modify its advertising model. First, Facebook began collecting data about its users’ activities and interests, and creating targeted ads by displaying what “Pages” the user’s friends liked.[17] Secondly, Facebook began tracking its users’ behaviors and activities on other websites not affiliated with Facebook.[18] Thirdly, Facebook expanded its data sharing with other Facebook-owned companies such as Instagram and WhatsApp. Their 2015 terms and policies allow Instagram[19] to share its users’ personal data with Facebook and WhatsApp.[20] This allows Facebook to gather even more personal data which it would use to build a richer database for commercial and advertising purposes.[21]
In recent years, the European Union has fought back against practices like Facebook’s advertising system. In 2014, Facebook acquired WhatsApp but misled the European Union authorities about their data sharing policies.[22] Facebook stated that it would not share data collected through WhatsApp, but shortly after the acquisition, Facebook announced it would begin transferring personal data from WhatsApp to Facebook .[23] The European Union reacted by fining Facebook around $122 million for the infraction, claiming that this giant addition of personal information would operate as an unfair advantage for Facebook over its rivals in online business advertising.[24]
Lack or inadequate consent from users
Because most social media websites originate from the U.S., their privacy policies comply with U.S. law.[25] As Facebook has grown over the years, it has naturally expanded into Europe. Facebook has “subsidiaries in [European Union] Member States that process users’ data according to their privacy policies which were adopted under US law, but are subject to the European privacy legislation.”[26] As such, the Court of Justice of the European Union (CJEU) ruled that the EU’s 1995 Data Protection Directive, regulates the processing of personal data within the European Union, was applicable to Google’s activities in the Member States in which these social media companies were incorporated. In Google Spain v AEPD and Mario Costeja Gonzalez, the court reasoned that the data processing in Spain increased Google’s profitability and thus, Google’s activities in Spain and the U.S. were inextricably linked. This decision will likely apply to other social media websites such as Facebook because of the similarities in both companies’ activities such as their tracking mechanisms, which provide Google and Facebook with detailed information regarding their users’ web browsing habits.
The European Union uses explicit directives to denote situations in which its law governs activities that would normally be regulated by the law of jurisdiction the service originates from. For example, without an explicit directive, United States law would presumptively govern because the social network companies originate from the U.S. The comparison between these two groups of law is helpful to understand the differences between the two privacy legal systems. For instance, while the protection of personal data is a specific right in Europe, as guaranteed by the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,” the United States has not developed a like the EU’s Privacy Directive.[30] In the European Union, the European Directive recognizes the protection of personal data as a fundamental right and sets a list of rules for websites and limits the use of personal data if the company does not have the user’s consent.[31] In the United States, however, the protection of personal data is not a fundamental right and the government gives more latitude to the private companies, creating an overall less protective and comprehensive legal system for data privacy.
In the European Union, Article 2 of the European Directive defines consent as the user’s free and informed agreement for her information to be processed.[32] Article 7 notes that a company may process a user’s personal data as long as the user has “unambiguously given his consent.”[33] Furthermore, Article 10 indicates that the user must have knowledge of the company’s purposes of the processing.[34] Under the EU framework, many Facebook users would not be deemed to have actually given their informed consent regarding the personal data they have posted on the website if the users in general do not understand, or even read and rely on Facebook’s privacy policies, as demonstrated by some empirical studies. According to the EU directives, without informed consent from its users, websites are explicitly prohibited from using user information for purposes not delineated in the policies. Consequently, Facebook would be violating Article 7 of the European Union Directive under EU’s higher standard of explicit, informed context. In contrast to the United States where being “on notice” is enough to presume user consent, the European Union’s higher standard affords greater protection for end users.[36] By explicitly requiring informed consent from the users, the European Union ensures that Facebook, and other such companies, may only use information for purposes the users have explicitly agreed to.
These directives and rules are not merely aspirational; the European Union has been adamant about enforcing these rules. In the past few years, Facebook has received multiple fines from different Member States. The latest fine was assessed in September 2017 when the Spanish Data Protection Authority fined Facebook $1.4 million for collecting personal information from users without first receiving their “informed consent.”[37] Furthermore, Facebook received a $122 million from the European Union for not completely disclosing the data transfer that it had planned on undertaking between WhatsApp and Facebook.[38] In addition to these high-profile fines, Facebook has been subjected to other, smaller fines, lawsuits, and investigations by Member States for its lack of transparency regarding its privacy policies.[39] European courts concluded that Facebook had violated their data protection rules by not providing enough control to its users regarding their personal data and by collecting data on its users on third-party websites without the users’ knowledge.[40]
On the other hand, the United States “uses a sectoral approach to privacy that relies on a mixture of legislation, regulation, and self-regulation.”[41] The United States has not explicitly defined its legal framework regarding privacy and the use of personal data. Instead, the United States government uses an ad-hoc approach, dealing with privacy issues as they come up and leaving it to the companies and their users to voluntarily self-regulate. The current case law, for example, does not deal much with privacy policy violations.
Contract law could be an answer to the issue.[42] For instance, judges have, in the past, deemed browse-wrap agreements (akin to privacy policies that people must press “accept” to agree) unenforceable based on theories of unconscionability or lack of consent.[43] However, contract theories would not apply to the cases discussed above because U.S. courts have concluded that privacy policies are not contractual in nature.[44]
Moreover, although there is not a comprehensive domestic law that regulates the collection and use of data in the United States, United States relies on industry-specific regulations.[45] For example, the Federal Trade Commission Act (15 U.S.C. §§41-58) (FTC Act), “prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies.”[46] The Federal Trade Commission, for instance, recommends that users be put on “notice” of the company’s practices and be given “choices” as to how the users’ personal information is used by the company.[47] However, the FTC does not control the substance of the privacy policies and the companies are effectively allowed to state any purpose as long as they comply with the disclosure requirements.[48]
This ad hoc, industry-specific system does not provide robust protection as the European Directives because these principles are not directly regulated by any United States law and there are no existing rules to manage how well Facebook respects and implements these principles.[49] The U.S. system relies instead on private litigation and its deterrent effects on the companies.[50] Some scholars argue that the transfer of data may fall under the Electronic Communications Privacy Act of 1986 (ECPA).[51] ECPA arguably prohibits the transfer of personal data because personal data are “contents of communication,” the ECPA explicitly prohibits the transfer of contents of communication.[52]. However, proponents of harsher regulations point out that the same act creates seven exceptions in Section 2702(b) and one of them states that a company may transfer contents of communication with the of the subscriber. [53]
Data show that the United States’ government has been less active than the European Union about regulating Facebook’s practices. Rubinstein and Good note for instance that the Electronic Privacy Information Center (EPIC) filed a complaint against Facebook for their new social plug ins that would allow Facebook to store information regarding what their users “liked.”[54] The Wall Street Journal led an investigation that exposed a privacy loophole in Facebook’s policies and Facebook responded with a comprehensive overhaul of its privacy settings.[55] However, it is unlikely that the U.S. government will take more actions to regulate Facebook’s practices.
Conclusion
In conclusion, both the United States and the European Union legal systems provide different mechanisms to protect Facebook users from misuse or abuse and the unlawful sharing their personal data. However, the European Union Directive system of protection seems to provide a more robust protection and seems to be more effective than the United States legal framework because it requires “unambiguous consent” in Article 7 and explicitly requires in Article 10 the user’s knowledge of what the company will be doing with the personal information.
* Egzone Sulejmani is a J.D. Candidate at Cornell Law School where she is an associate for the Cornell International Law Journal.
[1] World Economic Forum [WEF], Personal Data: The Emergence of a New Asset Class at 7 (Jan. 11, 2011), https://www.weforum.org/reports/personal-data-emergence-new-asset-class.
[2] Douglas A. McIntyre, Google Continues to Be Largest US Website, Facebook Close Behind, 24/7WallSt (June 24, 2017, 8:05 AM), http://247wallst.com/media/2017/06/24/google-continues-to-be-largest-us-website-facebook-close-behind/.
[3] Priya Kumar, When Was the Last Time You Read a Privacy Policy?, Slate (Jan. 27 2016, 7:30 AM), http://www.slate.com/articles/technology/future_tense/2017/09/the_privacy_implications_ of_using_digital_habits_to_track_mental_health.html.
[4] World Economic Forum, supra note 1, at 5.
[5] See Virpi Kristiina Tuunainen et al., Users’ Awareness of Privacy on Online Social Networking Sites – Case Facebook, 22 BLED EConf. 1, 14 (June 14–17, 2009), https://domino.fov.uni-mb.si/proceedings.
[6] World Economic Forum [WEF], Unlocking the Value of Personal Data at 11 (Feb. 2013) https://www.weforum.org/reports/unlocking-value-personal-data-collection-usage.
[7] Bernard Debatin et al., Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences, 15 J. Comput.-Mediated Comm. 83 (2009).
[8] Asuncion Esteve, The Business of Personal Data: Google, Facebook, and Privacy Issues in the EU and the USA, 7 Int’l Data Privacy L. 36, 44 (2017), academic.oup.com/idpl/article/7/1/36/3097625.
[9] Id.
[10] Id. at 42.
[11] Id.
[12] Id. at 40.
[13] See Tuunainen et al., supra note 5, at 14.
[14] The Top 20 Valuable Facebook Statistics – Updated September 2017, Zephoria (Sept. 17, 2007), https://zephoria.com/top-15-valuable-facebook-statistics/.
[15] See Tuunainen et al., supra note 5, at 14.
[16] Id.
[17] Yasamine Hashemi, Facebook’s Privacy Policy and its Third-Party Partnerships: Lucrativity and Liability, 15 B.U. J. Sci. & Tech. L. 140, 141 (2009).
[18] Id.
[19] For instance, Instagram’s Privacy Policy states that it “may share User Content and your information (including but not limited to, information from cookies, log files, device identifiers, location data, and usage data) with businesses that are legally part of the same group of companies that Instagram is part of, or that become part of that group (“Affiliates”). Affiliates may use this information to help provide, understand, and improve the Service (including by providing analytics) and Affiliates’ own services (including by providing you with better and more relevant experiences).
[20] See Anne Helmond, The New Facebook Data Policy: Like or Dislike?, Internet Pol. Rev, (Dec. 2, 2014), https://policyreview.info/articles/news/new-facebook-data-policy-or-dislike/341.
[21] Id.
[22] See Mark Scott, E.U. Fines Facebook $122 Million Over Disclosures in WhatsApp Deal, N.Y. Times (May 18, 2017), https://nyti.ms/2qvOPnv.
[23] Id.
[24] Id.
[25] See Esteve, supra note 8, at 41.
[26] Id. at 37.
[27] Case C–131/12, Google Spain v AEPD and Mario Costeja Gonzalez, 2014 E.C.R. 317.
[28] Id.
[29] Kumar, supra note 3.
[30] See Esteve, supra note 8, at 37.
[31] Id. at 40-41.
[32] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. 95/46/EC (L 281) 31, 38.
[33] Id. at 40.
[34] Id. at 41.
[35] See James Grimmelmann, Saving Facebook, 94 Iowa L. Rev. 1137, 1181 (2009); see also Omer Tene, What Google Knows: Privacy and Internet Search Engines, 4 Utah L. Rev. 1433, 1438 (2008).
[36] See Esteve, supra note 8, at 42.
[37] David Meyer, Here’s Why Facebook Got a $1.4 Million Privacy Fine in Spain, Fortune (Sept. 11, 2017), http://fortune.com/2017/09/11/facebook-privacy-fine-spain/.
[38] Aria Bendix, EU Fines Facebook $122 million, The Atlantic (May 18, 2017), https://www.theatlantic.com/news/archive/2017/05/facebook-receives-122-million-fine-from-the-european-union/527325/.
[39] See e.g., Adam Ismail, Facebook under Fire in Europe for Lack of Transparency over Data Practices, Digital Trends (May 17, 2017), https://www.digitaltrends.com/social-media/facebook-data-practices-france-netherlands/.
[40] Id.
[41] See Esteve, supra note 8, at 40–41.
[42] See Tene, supra note 35, at 1469.
[43] Id.
[44] Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 597 (2014).
[45] See generally, Federal Trade Commission Act, 15 U.S.C. §§41-58
[46] Id.
[47] See Esteve, supra note 8, at 42.
[48] Id. at 38.
[49] Id. at 42.
[50] Id.
[51] See Tene, supra note 35, at 1476-82.
[52] Id.
[53] Id. at 1480.
[54] Ira S. Rubenstein & Nathaniel Good, Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, 28 Berkeley Tech. L.J. 1333, 1402 (2013).
[55] Id.