Revelations about the chaotic situation with user data management in Meta, Facebook’s parent company, have sparked concerns in Europe.
A letter sent by the ICCL (Irish Council for Civil Liberties) to the EU Commission warns that Meta’s practices concerning user data cannot be compatible with data protection laws applicable in the EU, including the GDPR and DMA.
ICCL examined thousands of pages in unsealed court documents from ongoing data privacy litigations in the United States, which reflect that Meta doesn’t even know what exactly happens with the data it collects.
Characteristically, when Meta was ordered to produce information about how the 149 distinct but interconnected data systems it uses operate exactly, it declared its inability to give a satisfactory answer.
This came after a full year of Meta’s internal investigation of these systems, failing to clarify the type of data collected by its various business units, how it is processed, and for what purpose.
At some point, Meta confirmed that at least 55 of these data systems might contain sensitive user data. However, the data management network is so fragmented and simultaneously convoluted that even the engineers working on it have limited visibility of what is happening.
In March 2022, a Meta engineer stated that even engineers directly involved may not be able to understand what is happening to the data because “it is impossible for humans to understand.”
Meta has previously attempted to itemize its data uses and categorize all processing for tighter control, but it has failed to do so, indicating that this is either not to the benefit of its business or simply impossible.
ICCL’s Senior Fellow, Johnny Ryan, stated the following in regards to the recent revelations:
“These latest revelations show data anarchy inside Meta. It does not know where, how, or why data is used internally. Meta can not comply with the new EU Digital Markets Act, and has failed to uphold its GDPR obligations for years. This is a data free-for-all.”
Meta’s “data anarchy” as ICCL names it, violates multiple GDPR articles relating to unlawful and transparent processing, data security, processing purpose declaration, and limiting data collection to the minimum requirement for the provision of services.
Additionally, Meta’s data handling practices contrast with DMA (Digital Markets Act) provisions scheduled to come into force on May 2, 2023.
Most importantly, the DMA dictates that a company should not use data collected by any of its divisions on other businesses under its control.
For example, data about a person collected from Instagram should not be combined and processed with data collected from Facebook and WhatsApp, but Meta seems far from being able to guarantee that.
Hence, ICCL considers Meta to be inherently incompatible with the EU’s data protection laws and should not be allowed to continue to operate in this manner in Europe.
“In view of the seriousness of the circumstances, the Commission should be fully prepared to use its powers to impose structural remedies in response to systematic non-compliance by Meta under DMA Article 18(1) at the earliest opportunity,” concludes ICCL’s letter to the EU Commission.
While the ICCL is not a regulatory body but an independent rights protection organization, it has a significant influence on the Irish data protection office.
This office is the spearhead of Europe’s GDPR compliance mechanism because most tech giants in the continent operate from Ireland, so it’s responsible for imposing record fines for data law violations.