The long arm of the European Union’s General Data Protection Regulations (GDPR) – a set of rules that strengthen people’s rights over personal information – has claimed its first victim: facebook
Facebook said that it had lost 1 million monthly active users in Europe following the introduction of the GDPR in May this year. The GDPR has onerous requirements for the processing of personal data and requires that consumers know what their personal information is being used for.
Consequently, facebook had to change its privacy policies to continue accessing private information for advertising purposes. To do so it needed the free consent of its users.
Yet, the GDPR prohibits such forced consent and any form of bundling of services with the requirement to consent (see Article 7(4) GDPR). Generally, consent can only be a lawful basis for the processing of personal data, if a person has actual control and a genuine choice with regard to accepting or declining the privacy terms.
Article 4(11) of the GDPR defines consent as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Facebook made user’s consent part of a non-negotiable privacy statement and such ‘consent’ would be presumed to not have been freely given. On the other hand, users cannot withdraw their consent without losing access to their account.
This is also a reminder to Australasian business to take privacy and data protection seriously when doing business in Europe.
Facebook has been entangled in a cascade of privacy debacles. Facebook has recently been fined £500,000 pounds by the UK privacy commission and is subject to a class action following its involvement in the Cambridge Analytica scandal.
We may well be witnessing the beginning of the end of facebook.