Facebook Facing GDPR Investigation over Audience Targeting Methods

Facebook is facing the wrath of the European Union’s General Data Protection Regulation (GDPR) once again following a complaint made by the UK Information Commissioner Office (ICO) to the Irish Data Protection Commission (DPC) in relations to the social media giant’s user targeting tactics.

Facebook has come in for heavy criticism in recent weeks after a number of news reporters portrayed how easy it was to post fake advertisements that appear to be sponsored/funded by real politicians. Other reports included targeting individuals with extremely conservative views and opinions.

The Irish Data Protection Commission is the relevant body to investigate the complaint as the Facebook European headquarters is based in Dublin. Communications spokesperson for the DPC Graham Doyle said: “Once this referral has been received by the DPC, we will assess the information and decide then what steps are required.”

In a 113-page report submitted to the British Parliament today ICO revealed: “We are in the process of referring other outstanding issues about Facebook’s targeting functions and techniques used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the Irish Data Protection Commission.”

Head of ICO Elizabeth Denham told the UK Parliament’s Digital, Culture, Media and Sport Committee at meeting earlier today: “Facebook needs to change, significantly change, their business model and their practices to maintain trust. We have uncovered a disturbing disregard for voters´ personal privacy. Social media platforms, political parties, data brokers and credit reference agencies have started to question their own processes – sending ripples through the big data eco-system.”

Prior to the introduction of GDPR on May 25 this year ICO sanctioned Facebook with a £500,000 fine last month in relation to its dealings with the well publicised Cambridge Analytica scandal. At the time this was the maximum penalty permitted under the British Data Protection Act 1998. In the new GDPR regime this figure could be much higher as the maximum penalty is no €20m or 4% of annual global revenue, whichever figure is higher. Using the 2017 financial figures for Facebook this would have been approximately £17m as Facebook had total revenue of €35.41 billion/£30.9bn.

Reacting to the news a Facebook representative defended its approach to audience targeting saying: “We regularly engage with regulators regarding our advertising tools, which we believe fully comply with EU data protection laws”. Separately, commenting to the Guardian newspaper Facebook revealed that: “We have learnt that some people may try to game the disclaimer system by entering inaccurate details and have been working to improve our review process to detect and prevent this kind of abuse.”

This is just the latest investigation that Facebook has faced since the introduction of GDPR. In September it was revealed that up to 50m users of the social network may have had their privacy violated in a cyber attack when a hacker exploited vulnerability to gain access to databases. This came after it was revealed that user levels on the platform fell significantly following the May 25 GDPR introduction date.