In Europe, Facebook's data law buffer looks to be on borrowed time

In Europe, Facebook's data law buffer looks to be on borrowed time
From TechCrunch - October 24, 2017

Facebooks European business may not, for too much longer, be able to rely on its preferred privacy buffer of arguing that data protection oversight of its business is exclusively limited to the Irish watchdog on account of its European HQ being located in Ireland.

A non-binding legal opinion put out today by an influential advisor to Europes top court has ruled that the social network can in fact be subject to privacy oversight in other European Union Member Statesat least where it has some physical presence (such as a sales office), as well as users whose data it is gathering for targeted advertising.

The underlying case pertains to the background tracking of web browser users via Facebook operated cookies. A German education and training company which runs a fan page on Facebook had, in 2011, been ordered by a German data protection authority to deactivate the Facebook pagebecause the latter deemed that neither it nor Facebook had informed users their personal data was being collected.

The company challenged the order in court and, after much legal back and forth, several questions were referred to Europes top court for a preliminary rulingwhich todays advocate general opinion prefigures.

In recent years, various European DPAs have sought to impose fines on Facebook for what they view as data protection violations pertaining to users in their jurisdiction, including watchdogs inSpain, the Netherlands andBelgium.

But Facebooks go-to rebuttal is to claim it is only subject to the jurisdiction of the Irish DPA.

In todays opinion, the advocate general writes: In recent months, the supervisory authorities of several Member States have decided to impose fines on Facebook, because of breaches of the rules on the protection of the personal data of its users.The present case will enable the Court to clarify the extent of the powers of intervention of supervisory authorities such as ULD [German DPA] with regard to the processing of personal data which involves the participation of several parties.

Its fair to say that EU Member States data protection authorities are a spectrum, with some taking a distinctly more proactively pro-privacy stance than others.

While Irelands low corporate tax rate is something of a flag for where the country plants its priorities on the data for businesses vs privacy for users axisunderlining why Facebook might want to be subject to its supervision vs other, more pro-privacy EU DPAs.

But its preference for the Irish data protection commissioner to be its sole privacy authority could well be on borrowed time. A spokeswoman for the ECJ said there is no date yet for a final judgment but one usually follows between three and six months after the opinion.

Contacted for a response to todays advocate generals opinion, a Facebook spokesperson told us: We respectfully disagree with the Advocate General and await the European Courts decision.


Continue reading at TechCrunch »