Facebook, under siege, slams European privacy regulators

Facebook has already filed a lawsuit against the Dutch data protection authority over an investigation into its privacy practices

Facebook has warned that overlapping national probes into its privacy policy could severely endanger the European Union's economy if such a fragmented strategy is continued and applied to other businesses.

The social networking company also warned that the high cost of compliance with multiple national laws, rather than with an overarching EU regime, could cause it to introduce new features more slowly or not at all.

Data protection authorities from Belgium, the Netherlands and Germany in February formed a task force to deal with Facebook's new privacy policy, introduced late January. They suspect that the new policy violates EU privacy laws. French, Spanish and Italian authorities later joined the group.

This fragmentation of regulatory action, though, can be bad for the EU, according to Facebook. "Facebook's costs would increase, and people in Europe would notice new features arriving more slowly, or not at all. The biggest victims would be smaller European companies. The next big thing might never see the light of day," Richard Allan, Facebook's vice president of public policy in Europe, wrote in an opinion column in The Financial Times.

The way things are going, Facebook and other companies will have to comply with 28 national variants of EU law, posing serious obstacles, he said.

The European common market was created to avoid such a splintered system, Allen wrote in his column. If the same sort of fragmented enforcement approach that Facebook is now dealing with is applied to businesses in other industries, Allen wrote, "complying with EU law will no longer be enough; businesses will instead have to comply with 28 independently shifting national variants. They would have to predict the enforcement agenda in each country."

Facebook argued that it should only be subject to scrutiny by the Irish data protection authority (DPA), since it established its European headquarters in Ireland five years ago.

"Initially, when the authorities in other countries had concerns about our services, they worked with the Irish regulator to resolve them. This is how European regulation is supposed to work: if a business meets regulations implemented in its home country, it can operate across the EU," said Allan.

As part of its push against the authorities, Facebook recently filed a lawsuit against the Dutch DPA because it does not agree with the investigation, a spokeswoman for the authority said. She declined to give further details on the case, as it is ongoing. The suit is scheduled to be heard by the District Court of the Hague on May 20, a court spokesman said, declining to comment on the contents of the case.

Facebook did not immediately respond to a request for comment.

The national privacy authorities disagree with Facebook and say they do have authority over the company's privacy practices. "It is quite simple, we have authority because Facebook processes data from Belgians," said a spokeswoman for the Belgian Privacy Commission.

Belgian authorities are meeting with Facebook on Wednesday to talk about a report that they commissioned, which found that Facebook violates EU law by tracking visitors. Facebook says the report contains factual inaccuracies. A discussion about jurisdiction is also planned, the spokeswoman for Belgian DPA said.

The German DPA in Hamburg did not immediately respond to a request for comment.

Meanwhile, Jacob Kohnstamm, the chairman of the Dutch DPA, told Dutch newspaper Trouw on Wednesday that Silicon Valley companies are less impressed by a legal letter from Dutch data protection authorities than Dutch organizations might be. It is therefore important that the EU's planned new privacy laws should be approved soon to give privacy authorities the opportunity to stand together against big U.S. companies, he said.

However, there is debate among EU lawmakers about how to approach data privacy enforcement. The European Commission approved a plan for a "one-stop-shop" mechanism that would make it easier for businesses and citizens to deal with privacy-related complaints. However, that proposal was later weakened by the Council of the EU, which added unnecessary bureaucratic steps, thus weakening the plan, privacy groups have warned.

EU institutions hope to come up with a definitive proposal for data protection reform by the end of the year.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags regulationsecurityCivil lawsuitslegalgovernmentdata protectionprivacyFacebook

More about EUEuropean CommissionFacebookIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place