Long data privacy notices aren’t foolproof, Euro watchdog tells Meta

Lengthy privacy notices included in a social media platform’s terms of service can do little to help it comply with transparency requirements under European law, according to recently revealed documents from a case in which Meta was fined €390 million ($414 million).

The documents have been released by noyb, the privacy law campaign group founded by Max Schrems, the lawyer who has twice successfully challenged US-EU data sharing, including the cases (Schrems I and II) that defeated the US Safe Harbor and Privacy Shield agreements.

Despite nominally winning the case, noyb said it might further pursue its claim because, in its view, Ireland’s Data Protection Commission (DPC) gave Meta too long to comply with the ruling and imposed fines that were too low.

A legal saga between Meta, Ireland and the European Union reached a landmark earlier this month when the DPC meted out a combined €390 million ($414 million) fine for violations of the EU’s General Data Protection Regulation, and directed the social media group to “bring its data processing operations into compliance within a period of 3 months.”

The DPC’s verdict followed the European Data Protection Board’s (EDPB) ruling in December to overturn a previous decision from the DPC that allowed Meta to add data use consent into its terms of service, seemingly in an attempt to bypass the EU’s GDPR’s requirement for explicit consent.

The ruling assessed the question of whether, for the purposes of personalized ads, Meta provided sufficient notice to users about how their data would be used and whether it did do so transparently.

Following the EDPB’s ruling the DPC said [PDF] “a failure by a controller to adhere to the transparency requirements is likely to have the direct result that the data subject is misled.” (par 130)

The DPC also tried to link Meta’s notice between specific categories of data, the purposes of the processing and the legal basis it relied on. It failed to find such a connection.

“The Data Policy and related material sometimes… demonstrate an oversupply of very high level, generalised information at the expense of a more concise and meaningful delivery of the essential information necessary for the data subject to understand the processing being undertaken and to exercise his/her rights in a meaningful way,” it said.

It also said the privacy notice “generalized, repetitive information, in combination with [its] circular manner … lacks clarity and concision, which in turn means it is difficult for users to identify or have meaningful information.”

All this made it “impossible for the user to identify with any degree of specificity what processing is carried out on what data,” the DPC said.

“DPC really did not like Meta’s privacy notice,” pointed out Joe Jones, director of research and insights of privacy community IAPP, while live tweeting the decision.

‘Massive disagreement between the Irish DPC and the EDPB’

In a statement, noyb argued that the DPC decision made it apparent that the Austrian, German, French, Italian, Dutch, Norwegian, Polish, Portuguese and Swedish data protection authorities had all raised formal objections against the DPC’s own decision.

The DPC did not even care to amend the decision and adapt its positions, but simply just copied the EDPB position into the previous decision, it claimed.

Schrems said: “The decision reads like homework where the pupil did not even care to change mistakes, but merely copied the corrections of the teacher into a text.”

As the decision “doesn’t seem to fully deal with the complaints by noyb” and “does not cover matters such as the use of personal data for improving the Facebook platform or for personalized content,” the group said, it may have to appeal the decision on these grounds.

The Register has given the DPC an opportunity to comment. ®

READ MORE HERE