Facebook faces fight in Europe over new privacy policy

Last week Facebook rolled out a new privacy policy that allows the sharing of data between its various services, such as Instagram and the Atlas ad unit, and the tracking of users across much of the web. At the time, Hamburg’s data protection chief said he was preparing to coordinate with counterparts across Europe to see what might need to be done about this.

Now, according to IDG, EU data protection officials have formed a task force to deal with the matter, on the basis that Facebook’s new policy may well contravene European privacy laws.

The privacy policies of the big U.S. web giants, which make their money by tracking users in great detail so as to sell their profiles to advertisers, have long been a sore point in the EU. On Friday Google and the U.K.’s Information Commissioner’s Office (ICO) announced a settlement to a long-running investigation over that company’s policy – Google will give users more information about how their data collected and shared between services, and perhaps a little more control over how this happens.

This will apply across the world, not just in the U.K., but it remains to be seen whether it will mollify regulators in continental Europe who have spent the last couple years fining Google over its practices. For one thing, the U.K. settlement measures don’t seem to include an explicit opt-in for the sharing of personal data across services, as privacy officials in other EU countries had demanded.

According to IDG, the regulators are now examining several aspects of the behavior allowed by Facebook’s new policy: its off-site tracking of users across sites and apps that are connected to Facebook services, its sharing of data with third parties, its use of personal information and images for commercial purposes, and again the general lack of explicit opt-in user consent for much of this.

Facebook’s new terms aren’t quite the unified privacy policy that Google created — there’s still a data wall between WhatsApp and Facebook, for one thing — but the effects are broadly similar when it comes to mixing and matching personal data between Facebook’s units. In the cases of both Facebook and Google, those units have surprisingly extensive reach across the web and apps.

Here are a few of the key passages in Facebook’s policy:

We collect information when you visit or use third-party websites and apps that use our Services (like when they offer our Like button or Facebook Log In or use our measurement and advertising services). This includes information about the websites and apps you visit, your use of our Services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us.
Information from third-party partners.

We receive information about you and your activities on and off Facebook from third-party partners, such as information from a partner when we jointly offer services or from an advertiser about your experiences or interactions with them.

Sharing With Third-Party Partners and Customers: We work with third party companies who help us provide and improve our Services or who use advertising or related products, which makes it possible to operate our companies and provide free services to people around the world.

This is all quite similar to what Google does, and the reaction seems set to follow a similar course. In Google’s case, the regulators also banded together to coordinate assaults on a national level. With regulators in Belgium, the Netherlands and now Germany already sniffing around Facebook’s new privacy policy, the company probably has a substantial fight on its hands.

Facebook said in an emailed statement:

We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising. We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates­ including this one with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.

PS – If you want to opt out of some of the tracking permitted through the new Facebook privacy policy, here’s the relevant settings page.

This article was updated at 7am PT to include Facebook’s statement.