The aftermath of Cambridge Analytica’s scandal and other problems for Facebook in Europe

The scandal of Cambridge Analytica caused several consequences for Facebook in Europe.

In the United Kingdom, the Information Commissioner (ICO) is investigating the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors by 30 organizations, including Facebook. See here.

The Working Party 29(WP29) created a Social Media Working Group to develop a long-term strategy on the collection personal data from social media for micro-targeting for commercial or political reasons. See here. The Social Media Working Group includes several European Data Protection Authorities (DPAs), counting The Netherlands, France, Spain, Hamburg, Belgium and Italy, who will “assist and fully cooperate with the UK’s Information Commissioner’s Office (ICO) in its investigation of Cambridge Analytica and Facebook.”  See WP29’s press release “Sorry is not enough”: WP29 establishes a Social Media Working Group is available at  20180411_Press release on Facebook_FINAL.pdf 

Independently from the scandal of Cambridge Analytica, several are the privacy investigations opened on Facebook in the EU:

In The Netherlands, the College Bescherming Persoonsgegevens(the Dutch DPA), found Facebook in violation of Dutch privacy legislation. The DPA is currently assessing whether the violations have ended. If that is not the case, the DPA may decide to impose a penalty on Facebook. See here.

In France, the Commission Nationale de l’Informatique et des Libertés /CNIL, (the French DPA) confirmed its involvement with its European counterparts in the investigation. As a reminder, the Commission sanctioned Facebook in 2017 for engaging in unlawful tracking because of  lack of consent.

In Spain, the Agencia Española de Protección de Datos /AEPD (the Spanish DPA) – opened an investigation against Facebook to determine possible harms caused to Spanish users. See here in Spanish.

In Germany, the Higher Administrative Court (OVG) confirmed the Hamburg DPA (Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit – HmbBfDI)’s administrative order, banning Facebook from using WhatsApp user data for its own purposes. More information is available here (in German). As for the opened investigation on misuse of data, see here.

In Belgium, the Commission for the Protection of Privacy, Commissie voor de bescherming van de persoonlijke levenssfeer/CBPL imposed a fine on Facebook for the unconsented use of “datr cookie”. See here in Dutch. As for the opened investigation on the misuse of data, see here.

In Italy, the Garante per la Protezione dei Dati Personali – the Italian DPA – met (see here) with a Facebook delegation which will provide information on:

  • political marketing companies which have accessed users’ data;
  • information on facial recognition policies and technologies;
  • its compliance process in the light of the GDPR;
  • user profiling mechanisms with particular regard to sensitive data;
  • checks carried out on Facebook-related app developers.

In Ireland, the Irish High Court requested a preliminary ruling by the European Court of Justice (ECJ) in a case concerning Facebook’s data transfers and use of standard contractual clauses. More here.

For more information, Francesca Giannoni-Crystal and Federica Romanelli