Facebook Doesn’t Plan to be GDPR Compliant

Today Facebook updated their policies and asked users for permissions for certain kinds of data in relation to the new EU data protection regulation — GDPR.

From what I saw (and I’m doing GDPR consultancy so I know a thing or two about the Regulation) they don’t plan to be GDPR compliant. Or at least plan to walk on the thin ice of “not strictly compliant”.

Here’s a screenshot from the mobile app. And there’s so much wrong with it.

• “Keep in mind we’ll still use data to personalize and improve our products”. No. This is the screen where you agree to Facebook collecting your behaviour across the web (with Facebook pixel and other tools using tracking cookies). My consent is not just about how you use that data — my consent is also whether you collect it or not. The only way Facebook can still continue to collect that data is if they prove the so called “legitimate interest”. And you can’t possibly prove legitimate interest for massively collecting everyone’s behaviour online.
• This is not the best way to ask for consent. In my view, “Accept and continue” is forbidden under GDPR. To quote recital 32: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent”. “Accept and continue” is effectively a pre-ticked box. The options should be “Yes” and “No” for each particular data processing activity, not “Yes” and “Go to configuration”. An indication of the failure of this approach to be clear enough is that I didn’t realize how I agreed to face recognition, even though I read almost all of the text. Imagine the average user. One can still argue that it’s okay to ask it in such a way, but it’s questionable at best.
• They plan to continue to collect information not needed to provide the service, such as mouse movements, device signal (bluetooth signal, cell towers), ISP, information about other devices that are nearby, etc. And you can’t opt-out of these, which you should be able to under GDPR (and you should agree in the first place)
• The current “Download my data” functionality does not export data collected from tracking cookies, nor the data from the previous point. And it has to.

Facebook seems to think “privacy” means what other people can or can’t see about you. I have to disappoint them — it’s also about what they can or can’t see about you.

So, dear EU data protection authorities, your move. After May 25th Facebook will be in breach of the Regulation. I’d suggest going through the multiple series of “recommendations” early, so that they have time to implement GDPR properly.