Facebooks GDPR compliance called into question

FacebookA few weeks ago, Facebook CEO Mark Zuckerberg sat in front of US lawmakers over the company’s data privacy issues. During the two-day grilling, Zuckerberg was quizzed by several members of the House of Representatives about the data his social network collects on both registered users and non-users – Zuckerberg claiming no knowledge of these so-called ‘shadow profiles’. Despite this, it’s these shadow profiles that could land the internet behemoth into some GDPR-related hot water.

Research from Mozilla and Hubert Burda Media-backed web browser Cliqz and its privacy browser extension Ghostery – from late 2017 – revealed that Facebook’s tracking scripts are present on 27.1 per cent of all page loads. These scripts enable Facebook to link behavioural data to individual internet users, even if they aren’t signed up to the social network.

As a result, even if Facebook is compliant amongst all of its actual users, it could face a hefty fine from the European Union (EU) if it is still tracking non-users in the EU come 25 May.

“Data collection in shadow profiles is Facebook’s weak spot when it comes to GDPR compliance and contradict their own mantra of giving people control over their data. Little wonder that Zuckerberg was trying very hard to avoid that topic during his Congress hearing where he claimed to be not familiar shadow profiles”, said Jean-Paul Schmetz, CEO Cliqz.

“Facebook has recently updated their privacy information and settings recently to comply with GDPR. At first glance, they’ve done a decent job on getting users’ consent, inform them, give users at least some limited means to opt-in and out and even a limited look into what they know about the user. However, I am convinced that on a closer look, they do not comply with GDPR. Their tracking scripts monitor one third of the internet traffic and grab data about Facebook-members and non-members alike, however to execute your ‘GDPR rights’, you have to own a Facebook account. Non-members or those who deleted their account are still being tracked and can’t do anything about it.”