Privacy champion Schrems blasts Irish authorities over secret Facebook deal

Max Schrems, one of the central figures in bringing down the EU-US Privacy Shield, has penned an open-letter slams the Irish Data Protection Commission for not dealing with Facebook appropriately.

With his privacy campaign organisation, noyb.eu (none of your business) taking on the social media giant, Schrems has heavily criticised the regulator for a lack of action, shrouding investigations with mystery and secret meetings with the firm to create a ‘consent bypass’ situation.

“It sounds a lot like those secret ‘tax rulings’ where tax authorities secretly agree with large tech companies on how to bypass the tax laws – just that they now do this with the GDPR too,” noyb.eu Chairman Schrems said.

The ‘consent bypass’ was an agreement between the authorities and Facebook to switch its policy from ‘consent’ to an alleged ‘data use contract’, allowing the company to track, target and conduct research on users.

“It is nothing but lipstick on a pig,” said Schrems.

“Since Roman times, the law prohibits ‘renaming’ something just to bypass the law. What Facebook tried to do is not smart, but laughable. The only thing that is really concerning is that the Irish DPC apparently engaged with Facebook when they were designing this scam and is now supposed to independently review it.”

According to research quoted by the privacy advocates, only 1.6 – 2.5% of users were aware they were actually entering into a ‘data use contract’. Should these figures be anywhere near accurate, this should not be considered anywhere near good enough.

This entire saga is a bit of ‘he said, she said’ with mud being slung across the wall. On one side of the coin, it is not difficult to imagine secret meetings to figure out how rules can be circumnavigated, but it is also within reason to assume Schrems and his privacy cronies are exaggerating and making a mountain out of a molehill.

Schrems has stated his organisation filed complaints about Facebook during the first few hours of GDPR coming into action, however, the subsequent investigations have not been concluded. This is a fair complaint, these investigations do take time, but then again there has to be a limit. The Information Commissioners Office (ICO) in the UK has delivered dozens of rulings in this period while the Irish DPC celebrated completing the first of six steps last week.

Facebook is a very complicated business with operations spanning across almost every European nation, and while the Irish DPC has been designated lead regulatory authority for several high-profile names, it is not proving itself worthy of this responsibility yet.

Again, you have to take Schrems claims with a pinch of salt, but Silicon Valley is escaping without punishment. We find it impossible to believe all of its residents are acting perfectly within the rules. It would be more credible to blame overly complex bureaucratic processes, a lack of funding, steep workloads and people just not taking privacy as serious as they should; Silicon Valley’s residents at the top of the list.

Tinder comes under the scope of Irish GDPR watchdog

Dating apps have forever changed the way millennials find relationships (for however long they last…) but Tinder has found itself under the scrutiny of the Irish regulator.

The dating trailblazer has found itself alongside serial privacy offender Google as the focal point of an investigation from lead-European GDPR regulator the Irish Data Protection Commission. The question is whether MTCH Technology Services, the parent-company of Tinder, complies with GDPR in terms of processing user data.

“The identified issues pertain to MTCH Technology Services Limited’s ongoing processing of users’ personal data with regard to its processing activities in relation to the Tinder platform, the transparency surrounding the ongoing processing, and the company’s compliance with its obligations with regard to data subject right’s requests,” a statement from the regulator said.

Interestingly enough, a recent investigation from the Norwegian Consumer Council (NCC) suggested several dating apps such as Grindr, OkCupid, and Tinder might be breaking GDPR. The investigation suggested nine out of ten of the most popular dating apps were transmitting data to ‘unexpected third-parties’ without seeking consent from users, potentially violating GDPR.

As these applications collect sensitive information, sexual preferences, behavioural data, and location, there could be quite the backlash. The Irish Data Protection Commission will investigate how this information is processed, whether it then transmitted onto third parties and if the developers are being transparent enough with their users.

Alongside the Tinder investigation, the Irish watchdog is also investigating a regular for the privacy enforcement community, Google.

Once again, transparency is the key word here, as it so often is when one of the Silicon Valley residents are placed under the microscope. The authority will hope to understand how Google collects and processes location data, while also seeing whether it has been effectively informing users prior to collecting consent.

Google is seemingly constantly under the scrutiny of one regulator or another due to the complex web that is its operations. No-one outside of Google genuinely understands every aspect of the business, therefore a new potential privacy scandal emerges every so often as the layers of complexity are pulled back. In this investigation, it is not entirely clear what product or service is the focal point.

What is worth bearing in mind that any new privacy investigations are most likely to focus on timelines which were initiated following the introduction of GDPR in 2018. Anything prior to this, for example the Equifax leak or Yahoo hack, would not have been subject to the same financial penalties.

For the Tinder and Google investigations, any wrongdoing could be punished with a fine up to €2 million or 4% of total annual revenues, whichever is greater. We haven’t seen many of these fines to date because of the timing of the incidents or investigations, but regulators might well be looking for a case to prove there is a bite behind the regulatory bark, a means to scare corporates into action and proactive security measures.

An excellent example of this enforcement concerns Facebook and the Cambridge Analytica scandal. The investigation into potential GDPR violations takes into account several different things; the incident itself, security procedures and features, transparency with the user and assistance with the investigation, to name a few. Facebook did not cover itself with glory and was not exactly helpful during the investigation, CEO Mark Zuckerberg refused to appear in front of a Parliamentary Committee in the UK when called upon.

As this incident occurred prior to the introduction of GDPR, the Information Commissioner’s Office in the UK was only permitted to fine the social media giant £500,000. Facebook’s annual revenue for 2013, when the incident occurred, was $7.87 billion. The maximum penalty which could have been applied under GDPR would have been $314 million.

Although the potential fines have been well-documented, until there is a case to point to most companies will push the boundary between right and wrong. Caution is generally only practised when the threat of punishment is followed through to make an example.