Facebook loses challenge

Facebook loses challenge as court rules in favor of DPC

Facebook loses challenge as court rules in favor of DPC’s draft decision for an inquiry and suspension of Facebook’s data transfers to the US. 

Following the Schrems II judgement of last July, the Irish Data Protection Commission, launched an inquiry into Facebook Ireland Ltd, and suspended the company’s EU-US data flows. Facebook disagreed with, and decided to challenge the decision. The company asserted that the DPC’s decision, and the procedures subsequently adopted are susceptible to judicial review. This long standing legal battle over Facebook Ireland’s right to continue making data transfers to the US, has now come to an end. This ruling, affirming Ireland’s lead regulator’s decision to suspend their EU-US data flows is likely to have major effects on Facebook’s operations. 

This decision is the culmination of an eight year battle, initiated by a 2013 complaint from Mr. Max Schrems.

Facebook Ireland, a subsidiary of the US company Facebook Inc, provides the social networks Facebook and Instagram to the European region, and houses its central administration and European headquarters in Dublin. In June 2013, Mr Maximilian Schrems filled a complaint with the DPC regarding the transfer of his personal data to the US by Facebook Ireland, claiming that it was unlawful under national and EU law, and in October 2013, the DPC stated that the matter would be “investigated promptly with all due diligence and speed”. In May 2016, the DPC wrote to Facebook Ireland and Mr Schrems with a draft decision that Standard Contractual Clauses could not lawfully be relied upon in respect to transfers of EU citizens’ personal data to the US. After this judgment, in July 2020, the CJEU gave a judgment. The court ruled that according to the GDPR, EU residents whose personal data is transferred to a third country using Standard Contractual Clauses must be afforded the same level of protection guaranteed within the European Union and the GDPR. Since the authorities in the United States cannot be bound by Standard Contractual Clauses, data transferred there may not be effectively protected. As a result of last year’s judgment, the Irish DPC launched an inquiry, and came to a preliminary decision to halt Facebook’s data transfers to the US, a decision that was subsequently challenged by Facebook. 

Facebook challenged the draft decision by the DPC claiming that they should have awaited guidance from the EDPB. 

Facebook challenged the draft decision, as well as the inquiry, claiming that the Data Protection Commission should have waited for guidance from the European Data Protection Board before proceeding with an inquiry and ordering suspension of its data transfers. The company asserted that as a member of the EDPB, the DPC would have received imminent guidance from the EDPB, and should not have acted prior to receiving that. This guidance was eventually published in November 2020, and as of May 14th 2021, the High Court has ruled that Facebook Ireland “ has not established any basis for impugning the DPC decision or the PDD of the procedures for the inquiry adopted by the DPC.” The judge rejected claims by Facebook that the DPC was in breach of its duty in how the case was handled. Justice David Barnaville also stated however, that the DPC should have responded to certain questions that Facebook raised in their October 2020 correspondence.

Facebook loses challenge as high court ruling gives the Irish DPC the right to open a second “own volition“ investigation against Facebook.

This long standing battle has now come to an end, resulting in an inevitable suspension of Facebook’s data transfers to the US. A second, “own volition” investigation has also been opened and is running simultaneously with the original complaint dating back to 2013, which led to the CJEU’s “Schrems II” decision. Regarding Facebook’s appeal of the DPC’s decision, the High Court, in its 127 page document outlining its judicial review of this case, rejected Facebook’s claims against the DPC. Eight years after the initial complaint, it is now certain that the DPC will have to act to stop Facebook‘s EU-US data transfers. This decision is likely to heavily impact Facebook’s operations. Regardless, the company said it looked forward to defending its compliance to the Data Protection Commission.

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Facebook data leak

Facebook data leak affects over half a billion users worldwide

Facebook data leak results in the personal information of over half a billion users being made available publicly and free of charge. 


Facebook has recently been implicated in a massive data leak affecting over a half a billion users, as reported by Business Insider earlier this month. The personal data leaked was gathered during a data breach two years ago. However, in recent times, an individual has published all of this personal information in a black market online hacking forum, free of charge. It is believed that this information was previously available for sale but has since gone down in value, and is now being offered for free on a hacking forum. This data was obtained through the misuse of a feature prior to 2019 and affects approximately 533 million users, from over 100 countries. 


The personal data leaked does not include login information, however the details included contain enough information to facilitate impersonation or fraud. 


The personal data affected includes information like full names, identification credentials, locations, dates of birth, email addresses, and phone numbers. The information does not include financial information or health information. It is also said that login information is not included in the data, however, the information put out there could potentially be used for hacking. Security experts say that this information could be used to impersonate individuals and commit fraud. Facebook’s Product Management Director, Mike Clark says that this information was not obtained through hacking, but rather by scraping it from the platform, much like what happened with Facebook in their 2016 Cambridge Analytica fiasco. 


The Facebook data leak had resulted in information which was once available for sale in January, now published free of charge on a hacking forum. 


The data was first discovered in January, on a hacking forum where an individual or entity advertised an automated bot which could provide certain user data from Facebook. At the time this data was confirmed to be legitimate. However, since then the data has been publicized and is now available for free in a low level hacking forum. This information was discovered earlier this month by Alon Gal, the chief technology officer of the cybercrime intelligence firm, Hudson Rock. 

Facebook reports that the vulnerability which led to the data scraping has since been rectified, and that the company does not intend to notify the individual users affected by this leak. 


Facebook officials want to assure the public that the platform’s vulnerability which led to the 2019 data breach has since been rectified. The social media company has not notified the over 533 million users who were affected by this data breach, and according to company officials, they do not intend to do so. Facebook’s spokesman said the social media company was not confident that it had full visibility on which users would need to be notified. They also considered the fact that users could do nothing to fix the issue as well as claims that the data was already publicly available in their defense for not notifying users.


“One needs to understand that, under GDPR, data breaches of such nature need to be notified to data protection authorities and very likely to the affected users as well” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

The next update to iOS

The next update to iOS could significantly impact targeted advertising on free apps.

The next update to iOS has created friction between Apple and advertising giants like Facebook which rely on targeted ads for revenue. 


The next update to iOS, initially announced last summer, will force app developers to explicitly seek permission to access the phone’s unique identifier known as the IDFA. This update is expected early in spring and is expected to significantly impact the effectiveness of targeted mobile ads. In order to tailor mobile ads to smartphone users, app developers and other industry players typically access this unique identifier on devices. However once this new rollout takes effect, a prompt will begin showing up for users, seeking their permission to give access to their IDFA. It is expected that roughly half of users may respond negatively or refuse access via this prompt. 


The effectiveness of targeted advertising relies heavily on access to personal identifiers like Apple users’ IDFA. 


Targeted advertising relies heavily on access to significant amounts of personal data, determining who is most likely to be affected by a particular message, and also how and when to deliver the message for maximum impact. For this reason, in order for targeted ads to be truly effective, access to data through Apple users’ IDFA is key and this update from Apple will no doubt, significantly impact targeted advertising.


Facebook argues that these changes will be of dire consequence to small businesses which depend on targeted advertising on free apps like theirs. 


One industry leader which generates much of its revenue through advertising has spoken up about the anticipated update. In a recent blog post, Facebook has expressed that they disagree with Apple’s approach, complaining that Apple provides no context on the benefits of having targeted ads, and suggesting that Apple’s new prompt implies that there is a trade off between personalized advertising and privacy. Facebook argues that the two are not mutually exclusive, and that they can and do provide both.


 Facebook urges that these changes will significantly impact the income of small business owners who rely on targeted ads via free apps to reach the customers most likely to convert into revenue for their businesses. Facebook intends to show Apple’s prompt asking for consent, but to also include their own prompt providing context on the benefits available to users through targeted advertising. 


Some industry leaders are opting to give up access to certain data, eliminating the need to seek consent. 


Google has also spoken up about the change and how they plan to navigate affairs taking this change into account. The company plans to cease from using any data that falls under Apple’s AppTrackingTransparency framework for iOS apps, which will exempt them from needing to show this prompt. Google is essentially forgoing access to a significant amount of personal data, to avoid needing to seek consent. 


How do data protection laws and this era of consent affect targeted advertising?


The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR clearly states and requires that consent must be unambiguous and made by a statement of clear affirmative action.


Data protection laws like the GDPR and CCPA are designed to empower consumers, giving them more control over their personal information. The GDPR in particular operates by an “opt-in” model of consent, as clarified in its definition of the term, meaning that it cannot be assumed that a user has given their consent, simply by them not opting out. Users must clearly and unambiguously opt in and companies cannot assume that a user has given consent unless they have been asked, and in the right way, resulting in a clear affirmative response. From Apple’s perspective, this update does fall in line with the GDPR, seeking clear unambiguous consent from users to share a unique identifier such as their IDFA. “The philosophy behind it is similar to that of cookie consents for websites, only in the world of IoS apps,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner. However, there is no doubt that this update will affect the current model of advertising, and not just companies like Facebook which generate much of their income through their ability to provide targeted ads to users on their free platforms, but also much smaller businesses seeking their targeted advertising audience through the social network giant.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.


German court: Facebook data practices

German court: Facebook data practices breach competition law.

German court: Facebook data practices breach competition law due to its data collection practices from its suite of apps and through external websites.


Germany strikes Facebook’s business model as the German Competition Authority  has launched an inquiry into the data collection practices of the social media and data collection giant with their local court. This is the first major country in the EU to ever launch any legal action against the company especially since the recent implementation of the GDPR. To be specific Facebook’s ability to provide detailed marketing data to companies who would pay for this information is now hindered greatly as the company is being limited in the collection of data and its integration from their full suite of apps. In its recent article, Politico reported that the Bundeskartellamt has ruled that German citizens will have to explicitly and knowingly consent to cross-app data integration by Facebook.


While Facebook hasn’t been found guilty of data protection malpractice by the GDPR,their practices breached Germany’s national privacy policies 


Cambridge Analytica revelations showed that this data integration had a marked effect on many important political outcomes such as Brexit and US 2016 elections. These targeted ads may cause more harm than perceived and Germany is the first to seek to protect its citizens from this. Facebook hasn’t been found guilty of data protection malpractice by the GDPR, as it is important to note the decision was made via Germany’s national privacy policies not the EU’s. The EU is still keeping a watchful eye on the proceedings as Facebook has the opportunity to fight the decision or suspend the case, and a decision has yet to be made. The GDPR states that data subjects need to provide “freely given, specific, informed and unambiguous” consent where data is used for commercial purposes.


Facebook is the only company thus far, found to be in breach of Germany’s competition law.


So far the Bundeskartellamt has only targeted Facebook with this wave of action due to its wide monopoly on Social Media in Germany, as it records over eighty percent of monthly active users on social media in the nation state. YouTube, Twitter and Snapchat were all seen as secondary and were not subject to any legal action. These companies however will be taking note of these changes in policy as it could affect how they operate in the future and may prevent an integrated platform to the likes of Facebook (at least in Germany) due to these restrictions. Facebook will need to implement the decision over the next 12 months.


The EU may be forced to implement new protocols for the GDPR.


Companies with existing competition and data privacy lawsuits, and open decisions such as Google and Amazon are keenly affected by this type of legislature change as well. If a major detriment to these data integration practices can be found by the Bundeskartellamt, the EU may be forced to implement new protocols for the GDPR and police these data collection services more diligently as some have already been accused of seeking consent in deceptive fashions, being unclear in data use or vaguely outlining the detail or extent of data being collected. The impact it could possibly have on E-commerce in the European sphere is definitely something worth paying attention to. Especially since the GDPR is one of the more universally referenced examples of a good starting point for current standard in Data protection policy.


According to Cristina Contero Almagro, Partner in Aphaia, “Combining data from different sources requires at least to put in place a Data Protection Impact Assessment first. Apart from that, it is deemed profiling, so it may be subject to Article 22 GDPR requirements, plus additional guarantees should be applied due to its commercial purpose”.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.