Facebook cannot comply with EU data protection laws, civil liberty council says

Dublin group urges European Commission to act on Meta material from California legal case

The Irish Council for Civil Liberties says documents relating to litigation against Meta in California describe 'data anarchy' in the social media group. Photograph: Josh Edelson/AFP
The Irish Council for Civil Liberties says documents relating to litigation against Meta in California describe 'data anarchy' in the social media group. Photograph: Josh Edelson/AFP

Facebook parent Meta cannot comply with new EU data laws, the Irish Council for Civil Liberties has said in a letter to the European Commission.

The Irish group says it is basing its argument on thousands of pages of documents relating to long-running litigation against Meta in California.

In the letter to European Commission executive vice-president Margrethe Vestager, the ICCL says the documents describe “data anarchy” in the social media group. Ms Vestager’s brief in the commission includes competition issues and digital media, information and IT. That encompasses the operation of the newly enacted digital markets Act

ICCL says the documents for the California case show that people in Meta responsible for data systems are unaware of how other people in the company use their system.

READ MORE

Data ‘free-for-all’

“In some cases even the engineers using a system may not be able to understand what is happening because, according to a Meta engineer, ‘it is not possible for humans to understand’,” the Dublin-based group said.

“Meta’s data free-for-all makes compliance with the new EU Digital Markets Act (DMA) impossible for the tech giant,” it says. The Act, which came into force at the start of November, prohibits Big Tech firms from automatically using data from one part of their business to prop up other parts, the ICCL notes.

In the letter, Johnny Ryan, senior fellow at the ICCL, says: “Meta cannot comply with provisions of the DMA that prohibit data combination and reuse. Meta cannot account for how it uses data internally. It therefore also cannot distinguish data uses for separate core platform services, or for any other services, or other sources of data, too.

“Meta’s inability to know and account for how it uses data internally not only makes it impossible to comply with the DMA, but also infringes the GDPR, too,” Dr Ryan wrote.

Purpose limitation

He said the documents show that Meta is infringing the principle of purpose limitation in GDPR – laying down that personal data must be collected and processed solely for specified, explicit and legitimate purposes.

Referring to a European Court of Justice ruling in October, Dr Ryan said it prohibited “any processing of personal data which takes place after the initial processing” unless it is compatible with the purpose for which the data were collected.

The test for whether it was compatible, according to the ECJ, was whether the person concerned would reasonably anticipate the further processing, he said. “It [Meta] does not even know what each of its processing purposes may be, and there is no reasonable way for a person to anticipate what will be done with their data,” Dr Ryan said.

“These latest revelations show data anarchy inside Meta,” he said. “It does not know where, how or why data is used internally. Meta cannot comply with the new EU Digital Markets Act and has failed to uphold its GDPR obligations for years. This is a data free-for-all.”

ICCL’s letter urges the European Commission to be prepared to impose “structural remedies” on Meta under the Digital Markets Act, which could include a move to break Meta up.

Dominic Coyle

Dominic Coyle

Dominic Coyle is Deputy Business Editor of The Irish Times