The GDPR poses big potential problems for Facebook, Apple, Twitter and LinkedIn if they’ve violated stricter privacy laws

The GDPR’s big teeth are starting to sink in

Far stricter than U.S. privacy laws, the General Data Protection Regulation (GDPR) went into effect May 2018 and is the basis for numerous investigations into practices by these US companies. The Data Protection Commission (DPC) in Ireland, where many large international companies have their European headquarters, is the primary regulator and investigator for the European Union.

Facebook, including its WhatsApp and Instagram platforms, is defending itself against 10 DPC investigations related to user privacy and whether they’ve violated European privacy laws. Facebook has had several problems where its users have been compromised. Last September, Facebook reported its View As feature caused nearly 30 million accounts to be compromised (See our blog: Facebook breach could have impacted third-party apps; Is a huge GDPR fine on the horizon?).

In December, a software bug exposed photos of close to 7 million users to third-party apps (See our blog: Facebook compromises users’ privacy yet again.). All of these data violations were without user awareness or consent.

Three of the potential GDPR violations in question are related to the breach in September. Regulators are looking into whether Facebook correctly notified European authorities about the breach and compromise of user data – a requirement under GDPR. Two probes are focused on WhatsApp.

Twitter, Apple and LinkedIn also under investigation for GDPR violations

Twitter and Apple face two probes each. LinkedIn, owned by Microsoft, faces one.

For Twitter, one of the probes concerns a “large number of breaches” the company self reported. Twitter is also being investigated for how much access users have to their data.

Apple is under investigation for how it handled personal user information and how it handles user profiles with regard to targeted advertising.

LinkedIn is being probed for the same thing concerning targeted ads. Another separate complaint involves its Mentioned in the News feature, which notifies users when they are mentioned in the media. LinkedIn has said it would disable the feature in Europe for now.

The fifth giant – Google – is under scrutiny and already fined billions for EU privacy violations

Google is also in also defending itself against several accusations of unfair advertising. Just today, the European Union (EU) handed down a $1.7B fine for an antitrust violation in the online advertising market. This marks the third EU fine against Google, totaling $9.3B. Google has not paid anything yet as it is currently appealing the first two. One of those two fines last July was $5Billion. Google has not yet announced whether they will appeal this latest fine but odds are they will.

Online advertising at the heart of the probe for possible privacy violations

Google is battling several other probes. Some emails turned over to regulators in the UK, Ireland and Poland on February 20 likely made Google’s defense more difficult. The crux of the probe is that Google and other advertisers gather and use people’s private information to serve up personalized ads. The essence of the GDPR is that users must be made aware and give permission about what information is collected on them as well as give permission about how it is used.

European regulators believe this advertising activity violates user privacy and they assert that tech giants like Google and the Interactive Advertising Bureau (IAB) are fully aware that their advertising networks encroach on the EU’s privacy laws.

2017 emails may reveal Google and advertisers were aware of possible privacy violations

If proven true, such allegations could turn the online advertising world on its ear. The uncovered emails turned over to regulators in February would seem to indicate that this concern was not lost on Google executives.

The email in question, from 2017, was sent from Townsend Feehan, CEO of IAB Europe, to senior staff in the European Commission Directorate General for Communications Networks, Content, and Technology. Feehan reveals staffers against new ePrivacy Regulations meant to come with the GDPR. These regulations are currently still in negotations, but the emails stated they could “mean the end of the online advertising model.”

Attached to the email was an 18-page document describing how the rules would tighten the use of people’s private information. The GDPR requires people are clearly informed of how their information is being used and who it’s being used by.

Users must know who’s using their data and give consent to have their data used

In the online advertising process, advertisers bid for space on a webpage in a real time bidding process (RTB) based on the type of visitor. An auction is triggered and the winner displays their ad. Wealthy advertisers have more clout and ad networks and exchanges like Google desire to have all kinds of information about you – the more the better so they can show you ads for things you’ve already expressed interest in.

Part of the rub is it’s not certain who will win the auction to place the ad and in any case, the user doesn’t necessarily know who the advertiser is and hasn’t given consent for the use of their information. Or at least, that’s the crux of the ICO’s investigation – how well information are people about this?

The right to advertise versus the right to privacy

Google, the IAB and others insist they’ve done nothing wrong. Hence, the appeals.

The complainants claim they can prove the IAM has known for a long time that there’s a potential privacy problem. The emails from 2017 would seem to support that claim. The complainants also say they aren’t seeking to halt online advertising, necessarily. But they do want giant adtech firms to perform advertising without sharing highly personal information the way they are now. One claim against the advertisers is that the IAB RTB system allows 595 kinds of information to be part of an ad’s bid request.

All four of these large companies are under fire. All four have already experienced data breaches of varying levels, some of them massive breaches. Google and Facebook have already been fined or stand to face additional enormous fines. The DPC is not backing down so the battle for the right to advertise versus the right to privacy rages on.