ANALYSIS ON TERMS & CONDITIONS OF FACEBOOK, In re GENERAL DATA PROTECTION REGULATION (GDPR)
Social media websites, such as Facebook, Google and Instagram have been regarded as essential entities that shape public discourse and are popular modes of marketing. These websites, which have been beneficial for both vendors and consumers, employ several technological tools, such as cookies, to help them provide personalised information to its users. By improving its ability to expect and predict a person’s likes and dislikes, Facebook has grown to be overly appealing to vendors who can now streamline their resources in identifying the target consumers more accurately. These social media websites offer free access to their platforms, thereby monetizing on the information of its users in an attempt to stay financially afloat. Nevertheless, use of these websites for commercial purposes have resulted in instances of massive data breaches, such as the Cambridge Analytical Scandal.
The growth of social media websites like Facebook has called for the implementation of a robust regulation to protect the data of its users. Thus came into being, the General Data Protection Regulations, hereafter referred to as the GDPR, adopted in the year 2018, thereby replacing the existing EU directive, Data Protection Directive 95/46/EC on privacy. These regulations are not free from challenges - one of the largest being technological illiteracy. Users are often not well-versed with the mode of collection of data, its use and the implications of consent. Namely, the problem lies in the fact that while consent as an empty formality is fulfilled, the informed consent may largely be lacking.
Compliance of Facebook to the GDPR guidelines
After the Safe Harbour Case, the terms and conditions of Facebook have undergone substantial changes in order to protect the privacy of its users and to abide by the guidelines set out in the data policy. In an attempt to incorporate the guidelines of GDPR, Facebook has identified certain principles, such as transparency, control and accountability, to protect the data of its users. The privacy principles of Facebook aim to adopt an approach where the user has utmost control over their data and its usage.
Nature of information collected and processed
Facebook collects and stores information that is provided to it by its users, information relating to the device use by a user through the website and information from partner sites. In relation to information provided by its users, Facebook stores information relating to the likes/dislikes, preferences, uploads, content on political orientation and other personal data of this nature. Further, vital information accessed by Facebook, such as transactions on partner websites, information associated with the device from which Facebook is used, information on the General Positioning System, networks and connections is also collected by Facebook. It also has access to data that the users provide to its partners who consist of associated corporations, advertisers etc.
The definition of ‘Personal Data’ in the GDPR is wider albeit similar to the definition mentioned in the 95 Directive. The definition includes “any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” , and clearly brings it within the ambit of information collected by Facebook. Therefore, it is essential that Facebook having collected Personal Data, comply unequivocally with the requirements of the regulations.
Application of GDPR to Facebook
Article 4(7) and Article 4(8) of GDPR refers to “Controllers” and “Processors” of Personal Data respectively. Controllers, according to the regulations, are entities that determine the purposes and means of processing of Personal Data, and Processors on the other hand, are the entities that process the said Personal Data on behalf of the Controller. By its own admission, Facebook operates majority of its services as a Controller. However, there are instances in which it operates as a Processor, when working with businesses and other third parties.
The ambit of the above definitions and the role of Facebook as a data Controller/Processor leaves no room for doubt as to the application of the GDPR to the website which, by extension, obligates Facebook to comply with the same. These definitions coupled with the regulations para materia to territorial, material and subject matter jurisdictions, clearly enables the application of the laws to Facebook, specifically in relation to all those Data Subjects who access the service from the European Union.
Use of Data Procured
Vide Article 9, a political opinion, inter alia, cannot be processed unless and until ‘explicit consent’ of the Data Subject has been obtained. While a defence can be claimed under Clause (e) of sub para 2, no other provisions of the policies allow the processing of such information. The Cambridge Analytica Scandal is vital example of data breach, whereby sanctions were imposed on Facebook for enabling the processing of information relating to the political orientation of its users, thereby skewing the true perception of the American masses concerning their presidential elections. However, the true liability of Facebook is still under question, considering its lack of involvement and the fact that such information was passed on directly to Cambridge Analytica. Therefore, liability can only be attached to Facebook if it can be proved that it had knowledge of the activities of its users.
The need to regulate such instances however continues to exist, as these intermediaries are exempted from liability, owing to the fact that the contrary may impose onerous obligations on the websites and would therefore refrain from carrying out businesses which would, thereafter, have other socio-economic implications. An example of such immunity is also prevelant in the Indian Laws u/s 79 of the Information Technology Act, 2000.
Consent and Autonomy
Both the foundation of privacy laws and the GDPR lies in an attempt to maximise the Data Subjects’ autonomy and control over their own Personal Data. The autonomy in turn correlates to the need for consent of the Data Subject in using their data, which has been included within the ambit of GDPR, provided that the consent so given is specific, unambiguous, free and informed. Facebook is largely compliant with all those requirements as mentioned in Chapter 3, which although relating to the overall rights of the Data Subjects are, in a way, connected with the predominant need for consent. The right to access by the Data Subject, is complied with as Facebook allows its users to download all data belonging to them that has been used by the website. In such a sense, Facebook has been instrumental in enhancing the nature of control possessed by the Data Subject over their data. However, in paralance to the information required by bona-fide law enforcement agencies, Facebook in public interest, has retained the right to retain such information and hand over the same to the enforcement agencies.
The right to be forgotten
Cross-border transfer of information
Facebook admittedly shares information offered by Data Subjects world-wide and is in compliance with Chapter 5 of the GDPR. Before transferring the data internationally, it is necessary that all requirements of Chapter 5 are complied with. Adequacy in decisions, which are to be considered before sharing the information, is a mandatory consideration by Article 45 of the GDPR. Facebook, in its terms and policies has also mentioned that not only does it take into account the adequacy decisions but also sources the standard form clauses in order to transfer such information internationally and is essential that the same be agreed upon by the Data Subject.
Dicey: Is General Data Protection Regulation (GDPR) an arduous regulation?
Owing to Facebook’s pattern of privacy issues and scandals, it has faced serious criticism and user outrage multiple times. Since its existence, Facebook has been notorious for its loose handling of Personal Data and its lack of stong data protection & privacy policies. Although in theory, it may seem that most websites are more or less compliant with the laws, it may be noticed that enforcing liability for data breaches is devious, not merely due to the laxity in the handling websites of their data-subjects’ information, but also on account of the role played by several other factors which require an institutional change transcending any alternate change that a mere law might induce. As a consequence of the Cambridge Analytica catastrophe, revealing how inadequate American privacy law is, we now find ourselves questioning whether the General Data Protection Regulation (GDPR) is an arduous regulation to be feared of or rather a creation years ahead of its time. Consequently, although these privacy provisions exist on the website, and consented by users, minimal amount of these informational content is actually processed and understood thoroughly. Along with Facebook, the burden also lies on the users to not only comprehend the legal and technological jargons, but also to enable and exercise his/her autonomy effectively.
1) Chris J. Hoofnagle & Jan Whittington, Free: Accounting for the Costs of the Internet's Most Popular Price, 61 UCLA L. REV. 606, 628 (2014)
2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1
3) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31
4) Accessible at https://www.facebook.com/business/gdpr. Last accessed on 17.04.2020
5) Accessible at https://www.facebook.com/about/basics/privacy-principles. Last accessed on17.04.2020
6) Statute of Westminster, The First 1275, 3 Edw. I c. 25, 28 & 33 (Eng.).
7) Accessible at https://www.facebook.com/business/gdpr. Last accessed on 18.07.2020
8) Accessible at https://www.facebook.com/about/privacy/update. Last accessed on 18.07.2020
9) Available at https://www.facebook.com/help/125338004213029. Last Accessed on 18.07.2020
10) Available at https://www.facebook.com/about/privacy/update#. Last accessed on 18.07.2020
11) GDPR Art. 1, Art. 2, Art. 3, Art. 4(5), Art. 4(7)(8), Art. 4(11), Art. 15, Art. 17 & Art. 44