Motherboard/Vice published an explosive report on Facebook's business yesterday that is sure to raise fresh questions over the lack of enforcement of European privacy laws against the adtech giant.
The report is based on a leaked internal document written last year by the privacy engineers from its Ad and Business product team.
"ABP Privacy Infra, Long Range Investments [A/C Priv]," however seems to be the one that exposes engineers from the tech giant, now Meta, that have their heads scratched by the nightmare job at hand: making Facebook's data-ingesting ads business compliant with what the company called a "tsunami" of global privacy regulations that require it to know how user data flows through its systems so the company can apply policies that control what is done with people's information and perform basic stuff like reflect people's privacy choices. So the next time Sheryl Sandberg mentions Meta's "regulatory headwinds" this is the contextual meat to graft on those euphemistic bones.
Meta's text deploys some internal business shorthand/acronyms whose literal meanings aren't always clear. But the takeaway of the read — and it's well worth taking the time to read in its entirety if you can spare 15 pages of text, diagrams, and a few colorful analogies about one comparing a person's information to a bottle of ink being poured into a giant lake (oopsy!) — is that Meta has designed its ad system in such a totally unsiloed way that it's very, very, very far from being able to comply with (even existing) laws like Europe's General Data Protection Regulation (GDPR) which has a purpose limitation principle meaning you need a legal basis for each use of personal data. Nor, the report says, do Meta's engineers sound optimistic about their chances of cleaning up the mess and coming into compliance in time with a long list of other new, oncoming global regulations either. (Or even get them started on what AI regulations might mean for the business.)
Of course, Meta disputes that the report shows the company isn't complying with any privacy laws, in the first place.
Of this, in a statement to Motherboard, the company claims the document "does not describe our extensive processes and controls to comply with privacy regulations," adding therefore that "it's simply inaccurate to conclude that it demonstrates non-compliance," and further claiming: "New privacy regulations across the globe introduce different requirements, and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations."
But, well, they would say that, wouldn't they?
Independent privacy researcher Wolfie Christl — forensic examiner of ad-data flows — views the leaked document differently — refers to it as "dynamite" and, indirectly, a "confession" of the company's inability to comply with the terms of the GDPR. See his long thread here on Twitter — unpacking and contextualizing the implications of the observations from the engineers as he analyzes it.
According to the document, three reasons why FB decided not to honor the GDPR:
1) It just didn't want to pay the bill
2) Its surveillance advertising systems don't even care about counting how personal data is used in 'ads'
3) it just didn't want to pay the bill pic.twitter.com/gNGJJa1Y5C
— Wolfie Christl (@WolfieChristl) April 26, 2022
"It is a very direct and unambiguous confession of how the whole business of Facebook is based upon a great fundamental violation of GDPR," says Christl, talking to TechCrunch. "Purpose limitation is perhaps one of the most basic principles in GDPR. A company can collect the personal data mainly for a specific reason. If a company can't specify the purpose it collects the personal data for, it simply cannot process it under the GDPR."
What should the lead data protection regulator at Meta in the EU do? "The Irish regulator must take action now. If Facebook cannot make clear how exactly its surveillance advertising machine uses personal data, it must be ordered to stop processing it.".
So to recap, below is an updated note concerning the document and how that relates to matters before the DPC. Here is how TechCrunch sums up some of these points: TechCrunch reached out to the DPC to ask whether it will now open an investigation into Meta's ad data flows in light of what the document appears to show is, essentially, an ads system that, either by design or through systemic build creep, exists (or existed in 2021) in a state that's utterly antithetical to regulation — and, indeed, whether the document is relevant to any of the (several) ongoing investigations it has into aspects of Facebook's business.
The regulator neither commented nor expressed disagreement, but deputy commissioner Graham Doyle confirmed that it hadn't received or discussed the document until its publication by Motherboard/Vice.
That raises additional questions, because the DPC has — on paper — been investigating whether Facebook's ads business complies with the GDPR's requirements to have a valid legal basis for processing people's data for almost four years now.
For example, since May 2018 when the regulation came into effect, the DPC has been investigating a complaint against Facebook that centers on the legal basis of processing user data in advertisements.
A draft DPC decision on that inquiry, published last fall but not by the DPC, was within weeks denounced as a joke by privacy campaigners, partly because the regulator seemed to be signaling its intent to accept a tactic from Meta to evade the standard on consent-based processing under the GDPR by invoking a cunning contractual bypass.
The tl;dr is this: For consent to be GDPR valid, the data subjects must be given free choice. Consent must also be purpose-specific (no bundling); and it must be informed.
None of which happens if you use Facebook—where the platform makes processing your information for ad targeting a condition of use. Click 'agree to ads' or no Facebook account for you.
However, as per the version of last year's leaked draft DPC decision, Facebook claims that users agree to targeted ads simply by joining the platform, and the DPC had no reason to challenge that construct regarding this bypassing of the GDPR.
Given GDPR complaints are still floundering on such legal basics, is it a wonder that the deep, dark, underbelly of Meta's ad-targeting machinery contains, as this document tells it, a vast ocean of surveillance data on web users but so little apparatus to order this information according to people's own wishes?
At the bottom line, the EU is nearly four years into enforcement of its 'flagship' data protection regime, and Facebook itself remains untouched by GDPR enforcement. (Its messaging platform WhatsApp was hit by a fine last year.)
Nor did the European Union suddenly create privacy regulation in 2018, when the GDPR took effect. Before that there was the Data Protection Directive, which also embodied much of the same principles.
So-if Facebook-like companies had been paying attention to the relevant legal requirements about privacy by design-at least in Europe-and if EU regulators had been muscularly enforcing these long-standing rules-Meta might not be warning investors about the "regulatory headwinds" now coming for their shareholder value. Nor facing what sounds to be monumentally expensive and resource-intensive re-engineering challenge — not so much akin to landing on the moon as more like needing to reconstruct the whole of the planet from pulverised moondust in a way that ensures every tiny piece of rock and dust is put back in exactly the place it originated for. Oh, and — guess what! — the cut-off date to do all that already passed. Let's call it the 'Zuckerberg's moonshot.'
A Meta spokesperson was unavailable to answer a question seeking to know whether, in the wake of the Motherboard report, it had made contact with the DPC in order to provide its lead EU regulator with information about how its ads system works.
The company sent us the same statement it provided to Motherboard, and it concludes with this whine: "This analogy lacks the context that we do, in fact have extensive processes and controls to manage data and comply with privacy regulations."
The European Commission is ultimately responsible for oversight of how the GDPR is implemented by agencies within the EU Member States.
We requested the Commission if it had any concerns following the leaked document and/or any view on whether the DPC should launch an investigation into Meta's ads data flows. But at the time of writing it hadn't responded.
In February, following a complaint from the Irish Council for Civil Liberties against the Commission, which claims the EU's executive is shirking its responsibility to take action regarding Ireland's "failure properly to apply" the GDPR, the EU's ombudsperson launched an investigation-which will give the Commission until May 15 to deliver to her an "especially detailed and comprehensive" account of what it has gathered thus far on the question of whether the regulation is being applied "in all respects" in Ireland.