Facebook shifts 1.5 billion users to avoid GDPR



In the aftermath of the Cambridge Analytica revelations, Facebook has decided to modify its terms and conditions so that data of 1.5 billion Facebook users, managed from its European headquarters in Ireland, will now be administered by its US headquarters. The change brings users in Africa, Asia, Australasia and Latin/South America under less strict US privacy laws.

EU Data Protection Authorities have set up a task force to investigate the issues regarding harvesting personal data from social media for micro-targeting for commercial or political reasons. The task force will coordinate the various European investigations on Facebook. The Facebook Contact Group includes the Data Protection Authorities of Belgium, France, Germany (Hamburg), the Netherlands and Spain.

In Europe, Facebook falls under the jurisdiction of Ireland’s Data Protection Commissioner who has asked for a referral to the European Court of Justice in a case concerning Facebook’s data transfers and use of standard contractual clauses. Other DPAs have conducted investigations into Facebook’s privacy policy and use of cookies. In Belgium, this has led to a court action which resulted in the imposition of a fine.

In the United Kingdom, the Information Commissioner is currently conducting an inquiry which is not only looking at Facebook but 30 organisations – social media platforms, data companies, campaigns and political parties - to examine how personal data is used in modern political campaigns. Elizabeth Denham, Information Commissioner, has issued 19 Information Notices in this inquiry. Refusal to respond adequately is a criminal offence which could lead to an unlimited fine in a Crown Court.

Spain’s AEPD, the Data Protection Authority, has opened an investigation against Facebook in order to examine the possible harm caused to Spanish users.

In Italy, the Garante (DPA) met at its office in Rome with Facebook on Tuesday 24 April to ask for clarifications on any breaches committed in Italy. Facebook offered to provide information on:

  • the political marketing companies which have accessed users’ data;
  • information on facial recognition policies and technologies;
  • its compliance process in the light of the EU General Data Protection Regulation;
  • user profiling mechanisms with particular regard to sensitive data;
  • checks being carried out on Facebook-related app developers.

In Germany, the Hamburg Commissioner of Data Protection and Freedom of Information issued a press release (where Facebook has its headquarters for Germany) on 2 March indicating that the Higher Administrative Court (OVG) Hamburg had confirmed his administrative order, banning Facebook from using WhatsApp user data for its own purposes.

See Article 29 Working Party press release on Facebook.

Privacy Laws & Business 31st Annual International Conference includes a session on ‘Ireland as a lead authority under the GDPR and operation of the one stop shop’ by Dale Sunderland, Deputy Data Protection Commissioner, Ireland on Tuesday 3 July 2018.