With more than a half a billion users, Facebook definitely knows a great deal about a huge number of people by managing to collect a lot of personal data since 2004, which is a gold mine by now.

Still, its effectiveness in monetizing its pool of knowledge gained from each user lags far behind other prominent internet companies like Google or Yahoo!

In its pursuit to benefit from all the data it holds by turning it into competitive advertising offers, Facebook has ended up in hot water several times, like for instance, when they combined social actions from members, such as a purchase of a product or review of a hotel, with an advertiser's message. It triggered a hue and cry on privacy issues, but Facebook nevertheless applied the same concept to activities within their News Feed. It simply seems that Sponsored Stories ran afoul of the same laws that made Social Ads so problematic, namely that Facebook assumes that if a person talks about a product, it’s like an endorsement and can be used in an advertisement – but the permission is not given automatically to feature a user's name and likeness in an ad. Well it seems, at least, that Facebook has suspended a feature that would have allowed third-parties to access members' telephone numbers and addresses and is deliberating right now on how to modify the way it asks consumers for permission to share their personal data.
These are, however, only a few bumps in the road for the biggest social network, which is trying to expand its revenue stream. Thus, the concerns I want to highlight will probably add only a little bit more fuel to the fire.

Social plug-ins are quite popular among Facebook users, where they are outing themselves with a mouse click as fans of a particular site. That’s why companies happily integrate these "Like" plug-ins as a promotional tool on their website. According to the experts, however, this can be quite explosive regarding data protection laws.

Why the integration of so-called Facebook plug-ins such as "Like" are significant for data protection regulations

Its social plug-ins actually serves to exchange information between Facebook users. The logged-in Facebook user confirms by clicking the "Like” button their sympathy with the appropriate site, which will then be posted on their Facebook page and then reaches their "friends”.

What’s interesting here is the fact that although the website operator installs the plug-in, they actually get no insights into the concrete exchange of information between the plug-in and Facebook, and only receive new visitors via back-linking, without finding out anything about its users.

To no surprise a “Hate” button doesn’t exist, as nobody is interested in finding out about their own unpopularity.

For acceptance of data protection there has to be a way to distinguish between Facebook members and non-members

The Facebook member gives through their registration, permission for the transfer of their personal data to the Facebook servers in the U.S (identifiable user profiles). There is doubt, however, that this consent given during the Facebook registration is sufficiently transparent to users and there is question as to whether the Website operator has liability or not - which would make the agreement legally incompliant. Instead, legal regulation is required for the delivery of such data.

Often, the clause is brought into play, whereby a service provider may collect and use personal information of a user to the extent necessary for the use of the service. If the website owner includes among other things this Facebook service, then the transmission to the Facebook server is also required and therefore admissible.

Indeed it is argued here that the data would not be submitted by the website operators, but directly by the user to Facebook. In this respect, the relationship between provider and user wouldn’t be affected and consequently the norm non-applicable. However it is likely that at least here the paragraph applies appropriately, as the operator makes his website actively available for the service. More problematic, however, is the legitimacy regarding non-members. Thus, from credible sources in the U.S. with reference to insider claims, Facebook would not only submit data of logged-in users to its servers, but also user data from Website visitors who are not Facebook members. Since it appears that this user data includes the IP address of the visitor, which from the perspective of data protection authorities is regarded as personal data, the transmission is prohibited, unless a user's consent or a statutory authorization standard exists.

So, there is indeed a permitted transfer of personal data to the U.S., if the concerned company has joined the so-called Safe Harbour Agreement, which is the case for Facebook. Unfortunately certified U.S. companies often stick only slightly to the standards, so that the transfer may still be considered as inadmissible.

The use of the Facebook social plug-in is therefore difficult to assess from a data protection point of view. If the plug-in really transmits IP addresses from non-members in the U.S. as well, the entire service should be illegal. Unless, however, only member’s data are transferred to the U.S., its use should be justified.

It is important, in this context, that the website operator is required to inform visitors about the nature, extent and purpose of the collection and the use of the personal data. Unless one assumes that only data of members are sent (otherwise the plug-in would be prohibited), the website operator has to point out, by all means in its privacy policy, that the Facebook social plug-in is installed and automatically transmits data from Facebook members to the U.S. server when the page is called up.

Therefore, if you use Facebook’s “Like” button you should consider including the following points in your privacy statement:

  • The website runs a Facebook (company address) plug-in;
  • Our websites with this plug-in are designed to connect to Facebook and informs them which sub-page has been visited;
  • Logged in Facebook members are assigned to a user account and clicking the "Like” button leads to a corresponding message being sent to Facebook and is stored in the user account. Both can only be prevented by logging-off Facebook before calling-up the Website;
  • More detailed information is available on the Facebook page (privacy policy).

The only point of principle I have right now is what else will Facebook do to turn its users into living advertisements? Well, we will see.

By Daniela La Marca