European Commission focuses attention on Facebook privacy practices

In a public expression of concern (or actually as reported, astonishment) over Facebook’s December changes in privacy policy, default user privacy settings, and the set of user information always made public, European Commissioner for Information Society and Media Viviane Reding said in a recent interview that Facebook and other social networking sites could find themselves subject to new regulation if they fail to properly protect users’ personal information. While Reding has indicated since the Commission’s 2010 session began that she is considering updates to data protection and privacy laws, with respect to Facebook the concern is partly driven by its perceived departure from a commitment made a year ago to follow European privacy principles. Should the EC want to establish tighter regulations on social networking sites, it appears to have plenty of leverage with which to do so, particularly if it takes on the task of updating core data privacy laws such as the 1995 Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and the 2002 Directive (2002/58/EC) on privacy and electronic communications, both of which contain explicit language about obtaining user consent prior to collecting or processing (using) data for just about any purpose. Companies like Facebook often argue that users explicitly consent to personal data collection and implicitly consent to any future use of the information they provide when they decide to set up an account, but these arguments fit better with U.S. regulatory frameworks than they do in the European Community. While Americans are by far the largest proportion of Facebook users, European users account for at least 20% of the overall user base, so restrictions imposed on Facebook even for this subset of its user community would likely have a significant impact on the company.

Such an effort to regulate Facebook and its ilk in the United States would be a more difficult challenge, given the emphasis under current laws on making sure companies do what they say they will do (that is, that action matches policy), but without any requirement as to the specific practices they have to adopt. (A notable exception is with respect to data collection from minors under the age of 13.) The governing law for U.S. companies is the Federal Trade Commission Act (15 U.S.C. §45), which empowers the FTC to prevent unfair or deceptive trade practices — acting counter to published privacy policies is typically considered a deceptive trade practice. Despite the fact that Facebook explicitly reserves the right to change its privacy practices and terms of service at any time in its Statement of Rights and Responsibilities, the changes it implemented in December 2009 prompted a complaint to the FTC by a group of privacy and consumer advocates, arguing that the nature of the changes violated consumer protection laws. To date the FTC has taken no action in response to the complaint, although Facebook has been discussed in FTC-sponsored forums such as the Exploring Privacy roundtable series.

Facebook has used the attention surrounding the changes in its privacy practices to spin the story into a positive tale of increased consumer awareness of personal privacy. During the second session in the privacy roundtable series, Facebook’s Director of Public Policy Tim Sparapani cited user statistics that 35% of its 350 million users were prompted by the change to actually go to the privacy settings section of their accounts and configure them. By any accounting, that’s a lot of users, but a more interesting metric might be how many current users have not taken any action (even making a decision to accept the new default settings). Perhaps if more users were made aware of how Facebook’s privacy practice facilitated third-party harvesting of personal data such as contact information, more of them would be motivated to act.