April 10th 2020 – By Simon Orr

Facebook Privacy and the Dating App. Can Facebook Avoid the Wrath of the Regulator?

Originally published in Info Security Magazine.

This past autumn, Facebook found itself in the firing line yet again when it announced plans for the European launch of its new dating app.

As it failed to provide adequate notice about its intentions to the regulator, including failing to file a Data Protection Impact Assessment to the Irish Data Protection Commission (DPC), the launch was scuppered and was put on the back burner for the foreseeable future.

This isn’t the first time Facebook privacy has been in the spotlight and it has been involved in legal proceedings before. In fact, the company has clocked up an impressive rap sheet as a persistent privacy offender across multiple borders and geographies, including a record $5bn fine by the Federal Trade Commission, by the SEC, FBI and Northern District of California in investigations following the Cambridge Analytica scandal, and by the Data Protection Commission in ten ongoing investigations for Facebook privacy breaches of the GDPR.

Can Facebook privacy improve?

Facebook is likely to continue to be punished for its violations of data privacy, but the judicial system is equally focused on rehabilitation, so let’s consider what the company can do to change its future. With almost 2.5 billion monthly active users, Facebook is the biggest social network worldwide.

If Facebook’s founder, Mark Zuckerberg, is to be believed, the company really does want to make big changes – he’s even endorsed a global framework that would see individuals’ rights to protect their personal data in line with the EU GDPR.

Turning policy into practice

The biggest challenge that Facebook, and many organizations like it, face is that they’ve failed to turn policy into practice, and that is the most common pitfall for many organizations.

However, simply creating a Facebook privacy policy and appointing a DPO doesn’t demonstrate compliance. Speaking at the 2019 data protection practitioners’ conference, UK Information Commissioner, Elizabeth Denham said: “GDPR formalizes the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organization.”

Because if you go and ask them, internal teams simply don’t know if they are securing, storing and sending stuff properly. You need to help them to follow policies and do the right thing.

At Exonar, we’ve held roundtable discussions attended by data privacy and security specialists from leading UK organizations. In these discussions, several salient points came up again and again. The experts determined that, in order to make true change, organizations must embed the policies into their business-as-usual. This can be done in the following ways:

  • Embracing the crossover between data privacy and cybersecurity, to secure data at the perimeter fence and lock it down at the source.
  • Putting the customer first when delivering on privacy, security and risk.
  • Aligning data usage with the company mission and values to embed privacy in the culture.
  • Appointing and empowering data champions to encourage shared ownership of data privacy.
  • Leveraging technology to simplify and automate the process of managing data.

Privacy is about more than just data

It’s easy to forget that behind every piece of data lies a person. I don’t think Facebook ever set out with the intention of maliciously harvesting personal data for financial gain. The company was born from the desire to connect college friends and allow them to have some fun, but along the way the business grew exponentially, the focus seemed to shift away from the people who use the platform and make it what it is.

All organizations have a duty of care to their employees, customers and partners to keep their most precious possession safe. As we consider how we handle data, we must remember the human element; it may be data on paper, but in real life that data is someone’s life.

The procedural aspects around data need to be baked into a company’s operating DNA. Once you are able to demonstrate within your organization operations that you have adopted data protection practices that are proportionate and appropriate for your organization type, only then will you maintain compliance and avoid the wrath of the regulator.