Colm Long Director of Operations Facebook Ireland Limited Hanover Reach 5-7 Hannover Quay Dublin 2. Ireland

Similar documents
Identification and Tracking of Individuals and Social Networks using the Electronic Product Code on RFID Tags

PRIVACY POLICY (LAST UPDATED: )

Explanatory Notes Data Protection

The Art of Intervenability for Privacy Engineering

Data protection at affilinet

Corporate Policy. Data Protection for Data of Customers & Partners.

Public Health England, an executive agency of the Department of Health ("We") are committed to protecting and respecting your privacy.

Privacy & Data Security: The Future of the US-EU Safe Harbor

Key issues in data protection: a pan-european view

Code of Conduct of adidas AG Herzogenaurach

Privacy and Data Protection (and more) for Big Data

All rights reserved. 2011, EuroPriSe/ULD

Data protection and e-commerce: implementation aids and realisation proposals by the Federal Data Protection Commissioner

Plus500UK Limited. Statement on Privacy and Cookie Policy

Drawn up by the Board of Management on 26 October 2015 and approved by the Supervisory Board on 2 November Effective as of 1 January 2016.

Cookies Compliance Advisory

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.

PRIVACY NOTICE. Last Updated: March 24, 2015

PRIVACY POLICY USER INFORMATION. Information you provide to us

Privacy Policy. 1. Principle

Vyve Broadband Website Privacy Policy. What Information About Me Is Collected and Stored?

Privacy Policy. This includes data you provide to other users when communicating with them on websites and games operated by TRAVIAN GAMES.

Privacy Policy. When you create an account or use our Service, we collect the following types of information from you:

Customer Charter. committed to providing a quality service

Working Document 02/2013 providing guidance on obtaining consent for cookies

eprivacy GmbH Criteria Catalogue "eprivacyapp" June 2015

Short Public Report. on the IT product and IT-based service. ProCampaign 2.0

Jürgen Fitschen Co-Chairman of the Management Board and the Group Executive Committee

Israel LEVITAN, SHARON & CO. Peggy Sharon and Dror Zamir office@levitansharon.co.il. 1. Insurance intermediation activities

Data Protection for Fundraisers

Article 29 Working Party Issues Opinion on Cloud Computing

:-) Doing the right thing Starts with reading the right thing. Philips General Business Principles, your guide to acting with integrity

Cloud (educational apps) software services and the Data Protection Act

DER HESSISCHE DATENSCHUTZBEAUFTRAGTE

User tracking: Scope and Implementation eprivacy Directive Article 5(3)

Savings & Loans. Our Voluntary Standards. December Consultation Paper CP35

If you have any questions about our privacy practices, please refer to the end of this privacy policy for information on how to contact us.

PRIVACY POLICY. Any form of reproduction in whole or in part of the content of this document is prohibited.

Guidance on political campaigning

New EU Data Protection legislation comes into force today. What does this mean for your business?

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER THE FEDERAL TRADE COMMISSION. In the Matter of Myspace, LLC. FTC File No

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

How To Be A Responsible Corporate Citizen

PRIVACY POLICY. Last Revised: June 23, About this Privacy Policy.

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Improving self-regulation through (law-based) Corporate Data Protection Officials *

COMMENTARY Scope & Purpose Definitions I. Education. II. Transparency III. Consumer Control

WEBSITE PRIVACY POLICY. Last modified 10/20/11

Leonardo Hotels Group Page 1

Security-Compliance Guidelines of the Generali Deutschland Group

KONGSBERG's CORPORATE CODE OF ETHICS BACKGROUND

Privacy Policy. What is Covered in This Privacy Policy. What Information Do We Collect, and How is it Used?

MRS Guidelines for Online Research. January 2012

INTRODUCTION We respect your privacy and are committed to protecting it through our compliance with this privacy policy.

ESOMAR PRACTICAL GUIDE ON COOKIES JULY 2012

Privacy Notice for Clients, Insureds, and Claimants (South Africa)

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment

Appendix 11 - Swiss Data Protection Act

Privacy Policy. MSI may collect information from you on a voluntary basis when you:

Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Bodywhys Privacy Policy

Message 791 Communication from the Commission - SG(2012) D/50777 Directive 98/34/EC Notification: 2011/0188/D

Trusted Cloud Competence Centre 13 April Trusted Cloud Data Protection Profile for Cloud Services (TCDP) Version 0.9

Privacy Policy MacID. Document last updated Sunday, 28 December 2014 Property of Kane Cheshire

High-value address solutions that are compliant with data protection regulations.

Key functions in the system of governance Responsibilities, interfaces and outsourcing under Solvency II

MASTER ADVERTISING AGREEMENT

Legal session: copyright status of statistical data, privacy issues

Mobile Privacy Principles

TLS is the organisation that you pay in return for credit on your OV-chipkaart.

Give Your Mobile App

Estée Lauder Companies Global Jobs Website Privacy Policy

How To Counter SpIT

Privacy Policy Version 1.0, 1 st of May 2016

FIDELITY APPLICANT PRIVACY AND PROTECTION NOTICE

E-commerce and Legal Compliance

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Privacy Policy...1. We Respect Your Privacy...1. What information do we collect about internet users?...2

WEBSITE & SOCIAL MEDIA PRIVACY POLICY

DDV Declaration Commissioned Data Processing and Data Treatment (Version: 09/2009)

Terms and Conditions of Use of the Mediastore / Data Asset Management Platform of Konica Minolta Business Solutions Europe GmbH

INTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

PATH TO ROI: Understanding Customers Through Social Profile and A WHITE PAPER BY GIGYA

Privacy Policy. 1. Principle

Privacy Policy. If you have questions or complaints regarding our Privacy Policy or practices, please see Contact Us. Introduction

Privacy Notice for Job Applicants, Associates, Temps, Contractors, and other Workers (South Africa)

Thank you for visiting this website, which is owned by Essendant Co.

The Professional Standards Team is also available to discuss any aspect of the Code with you, so please do contact us if you have any queries.

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

The term Broadway Pet Stores refers we to the owner of the website whose registered office is 6-8 Muswell Hill Broadway, London, N10 3RT.

Privacy and Transparency for Consumer Trust and Consumer Centrality

(a) republish material from this website (including republication on another website);

Self assessment tool. Using this tool

Global Code of Conduct

Orange Polska Code of Ethics

Data Protection, Software Licenses and other Legal Issues in the Cloud

Transcription:

ULD. Postfach 71 16. 24171 Kiel Colm Long Director of Operations Facebook Ireland Limited Hanover Reach 5-7 Hannover Quay Dublin 2 Ireland Holstenstraße 98 24103 Kiel Tel.: 0431 988-1200 Fax: 0431 988-1223 Ansprechpartner/in: Dr. Thilo Weichert Durchwahl: 988-1200 Aktenzeichen: LD -61.41/11.001 Kiel, 5. September 2011 Data protection analysis on Facebook's web analytics Your letter of August 25th, 2011 Dear Mr. Long, Thank you very much for your letter dated August 25 th, 2011, by which you react to our PR of August 19 th, 2011. We thereby pointed out to website owners in Schleswig-Holstein that implementing Facebook s social plug-ins as well as operating Facebook-fan pages infringes German and European data protection law. The objective of your letter is declaredly to contribute by clarifications about your service that will lead to people in Schleswig-Holstein being able to continue to use [your] service. First of all I must point out to you that neither the law nor the Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein (ULD) prohibits the use of Facebook. Rather it is in our understanding a part of the right to informational self-determination that every person may decide freely which internet services he or she would like to use. A prerequisite for self-determined internet use in line with our data protection law is sufficient information directed to the user and straightforward and free choices. Website owners are legally bound to that end. The objective of ULD is to make this a reality for providers in Schleswig-Holstein. The point of ULD therefore is to enable the data protection compliant use of Facebook s services. I was delighted to learn that you intend to examine the content of our public working paper and to respond to it in detail. We are all agog, because we do not have any knowledge about Facebook s internal data processing which we hope to learn from your response. Up to now all our knowledge ULD Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein Holstenstraße 98, 24103 Kiel Tel. +49 431 988-1200 Fax +49 431988-1223 www.datenschutzzentrum.de E-Mail : mail@datenschutzzentrum.de PGP-Fingerprint : 042D 0B0E 6D4F F4D3 FB5D 1B6A 318C B401

- 2 - is based on the technical analysis of the communication in the internet to and from Facebook. According to European data protection law internal data uses of a data processor like Facebook are processes subject to fundamental rights that need to be made transparent and must be legally legitimized. We have acknowledged with interest that Facebook does not log IP addresses that geo-locate to Germany unless the visitor to a website with a Like Button is a logged in Facebook member. This limitation is relevant because from our knowledge Facebook does have more than 18 million members of which apparently IP information is logged. You are adding to your explanation that a person may use any website in the world with a social plug-in and [you] would not log the IP address if he or she were using an IP address located in Germany. ULD has not been in a position and currently cannot validate whether your statement is correct. In order to geo-locate you need according to your statement the IP address to begin with. Insofar we are interested to learn more details about the technical processes taking place for geo-location and for deletion of IP addresses. For our technical and legal analysis the issue of storing and interpretation of IP addresses is not of key importance. As a means for identification of a computer, to generate a profile, and for commercial use you are using cookies. You are explaining that you use cookies for two purposes primarily: to support site security and to provide a social context and social features to Facebook members on Facebook and around the web. You would not use cookies to track Facebook members or non-members. It is your point to learn from the web users what they like. This is exactly the important connecting link to our criticism. The discovery of what somebody likes is deemed as profiling under German data protection law. To be allowed to do this the legal requirements set out by TMG and the e-privacy Directive need to be complied with which to our knowledge is not guaranteed when using the Facebook services subject to our analysis. ULD does not assert that when using use data the names of users matter to Facebook. From a data protection point of view the subjective purpose of the data controller is not relevant but rather the objective facts. It is significant whether personal or material circumstances of an identified or identifiable individual are processed, and in which form and for what purposes the processing takes place. According to our knowledge you are processing personal information by e.g., using cookies as identification that generate results offered for the function Insights or commercial web content. You asked us, in order to understand more about the origins of this investigation to inform you how many complaints [we] have received from residents of Schleswig-Holstein concerning a) Like Buttons and b) Pages/Insights and describe the nature of their concerns. This does not matter for the application of data protection law. Controls by data protection supervisory authorities may be conducted in line with sect. 38 BDSG without cause. As a matter of fact ULD has been informed by web users, jurists, data protection officers, and journalists for more than

- 3 - a year that the services criticised by us on August 19, 2011 are illegal and we therefore need to intervene. That the data protection infringements of Facebook services meet with massive public criticism we noted at ULD after publishing our analysis. After publication we also received without doubt critique about our proceeding, but we mainly received approval by the people concerned. You are expressing concern about the actions that [we] are proposing to take such as levying fines against individuals and organisations in Schleswig-Holstein who use [your] service and that these are potentially very damaging to a wide range of interests. This would clearly place people in Schleswig-Holstein in an extremely difficult position. This has been considered by ULD from the beginning. It is a fact that institutions that have previously been using Facebook have brought forward that the sanctions announced could entail a locational disadvantage to Schleswig-Holstein. However, this cannot make us refrain from our proceedings as it is our duty as a supervisory authority to oppose data protection infringements. It should be undeniable that it is possible to offer the criticised functionalities in a way conforming to legal requirements. In any case legal infringements cannot be accepted over a long period of time and to such an extent. This would be a massive discrimination also economically against website owners who conform to the law. In the past ULD has communicated with Richard Allan from Facebook in London. Unfortunately the contact was only little informative and slow so that ULD did not pursue this communication any further. We are well aware that there is a communication between representatives of Facebook and the Hamburg Data Protection Commissioner (HmbBfDI). However, according to my information he was bound to confidentiality on any communication with Facebook even towards the other data protection commissioners. I have recognized that you are now willing to agree to share this information with the other German DPAs. Unfortunately, I have to inform you that this level of transparency is not enough. Because of the legal controllership imposed upon website owners they need to be able to acknowledge which data processings are prompted by you or the use of a site respectively. It is therefore inevitable that such relevant information is made available to them. Therefore, I would like to ask for your approval to have our communication published by ULD. As far as confidential business information is involved we would ask you to mark this accordingly so that we can ensure confidentiality in this respect. This, we are happy to assure you. As a quid pro quo I give my permission to you to publish the letters ULD sent to you. This will hopefully have the effect that the public debate on data protection in Facebook will be lead at a more qualified level than before. You propose in your letter that we jointly ask the Hamburg Commissioner Professor Caspar to continue to lead any direct discussions with Facebook. This suggestion will be unrewarding: The legal supervisory authority of ULD in Schleswig-Holstein cannot be neutralized by an agreement with a corporation. Besides due to the limited resources available to supervisory authorities we need to make sure of an effective use of means and meaningful division of work. With this in mind I have informed my colleagues already a few months ago at the conference of data protection commissioners of the Federal State and the Laender as well as at the Düsseldorfer Kreis that ULD

- 4 - will be working on web analysis in Facebook. This was generally welcomed. There is a constant exchange of information about our insights and our correspondence. Additionally, I can assure you that also a consultation with respect to the operative proceedings among the supervisory authorities in Germany and perceptively even beyond that takes place. For the first time you inform me about potential advisors on data protection policy issues at Facebook. These are Richard Allan in London, Virginie Rousseau in Dublin, and Eva-Maria Kirschsieper (Manager of Privacy & Policy) in Germany. For the national point of contact, Ms. Kirschsieper, you provide an e-mail address (kirschsieper@fb.com) but neither a telephone number nor an office or postal address. As much as ULD appreciates electronic communication as little satisfactory is this in terms of a legally binding communication, for which reason sect. 5 of the German Teleservices Act (TMG) requires information about the (postal) address and for reasons of timely availability, suggests indicating a phone number. Therefore, I would appreciate if you could provide me with this additional information. Full of curiosity ULD is awaiting your results with respect to our analysis and we will publish and comment it gladly. You are not required to communicate with ULD - as in the present case - by postal service. We gladly accept electronic communication encrypted and signed if needed and use it ourselves. By courtesy you will find an English translation attached to this letter. With best regards, Thilo Weichert

- 5 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information