Authorities order Facebook to adjust its data collection policies

The Government of Germany ordered Facebook to restrict the way the social network collects information from its users

According to network security and ethical hacking specialists from the International Institute of Cyber Security, Bundeskartellamt, the competition authority in Germany ordered Facebook to restrict its data collection and mixing policy when the users did not have given their explicit consent.

This policy extends to data collected from third-party services, as well as to other Facebook-owned platforms, such as Instagram. The social network stated that it would appeal this decision.

To be specific, the German regulator decided:

  • The various Facebook-owned services, such as WhatsApp and Instagram, may keep collecting data, but may not mix this data with those of a user’s main Facebook account, unless they manifest their explicit consent
  • Data collection from third-party sites, and subsequent association to a user’s Facebook account, must also be made under explicit consent of the involved parties

The regulatory authority specified that “a checkmark in a box” is not sufficient explicit consent to accept all Facebook terms. It is important to note that this ruling applies only to Facebook activities on German territory, although other supervisory bodies are likely to start taking similar measures.

On the other hand, the social network maintains that the German regulator has exceeded its functions, since it considers that issuing decisions on the privacy of data correspond to other authorities. However, if the ruling is kept the company must implement technical solutions to meet these requirements within four months. According to experts in network security, Facebook is facing a fine of up to 10% of its annual earnings in case of non compliance.

The supervisory organization maintains that Facebook has abused its dominant market status for mass data collection: “Facebook will no longer be able to force its users to accept the compilation of their data,” said Andreas Mundt, director of the Bundeskartellamt.

“The mix of data sources has helped Facebook create a unique database for each of its users, which consolidated this social network as a dominant agent in the market.”

According to experts in network security, this decision could impact the use of the ‘like’ and ‘share’ buttons on non-Facebook owned sites, as this allows the social network to track the IP address of each visitor, name and browser version, even if the users don’t interact with these buttons.

In a post of its blog, Facebook added that the Bundeskartellamt ignored the measures that the social network has taken to comply with the privacy standards established in the UK’s General Data Protection Regulation (GDPR). “GDPR grants powers to regulators in the field of data protection, not competition authorities”.

On the other hand, the NGO Privacy International believes that if this ruling prevails, Facebook will have to extend these new policies for users around the world.