Commissioned by the Dutch Ministry of the Interior and Kingdom Relations, Privacy Company investigated the data protection risks of the government's use of Facebook Pages. Facebook has been renamed Meta Platform Inc. in January 2022. Meta also has other applications, such as WhatsApp and Instagram, but this blog is only about Facebook Pages.
Anyone with a Facebook account can create a Page to share information and news. Companies, government organisations, famous people and brands can also do so. Through a Facebook Page, you can share information with friends, with friends of friends, or with a wider audience. When Facebook users like or follow a Page, they get posts from that Page owner in their news feed. Facebook determines the content of that news feed with clever algorithms, based not only on user preferences and activities, but also on activities and ratings (likes) from friends.
Privacy Company has conducted technical and legal research into the personal data Facebook processes when you visit a government organisation's Facebook Page. That research is called DPIA, Data Protection Impact Assessment. Under the General Data Protection Regulation (GDPR), organisations must conduct such an investigation if they suspect that the processing leads to high data protection risks for people. Privacy Company has also conducted broader research into the human rights impact of using Facebook Pages, in a HRIA, Human Rights Impact Assessment. A second blog has been written about that.
A fake government Page was created for the DPIA, of the (fictitious) Ministry of Privacy. With two brand new Facebook accounts and 1 existing Facebook account (in the researchers' names), that Page was visited every day for a month. Both accounts randomly clicked on recommended content. One account received notable anti-government messages. This is further detailed in the HRIA. All investigative actions were recorded, outgoing data traffic to the Facebook servers was intercepted, and at the end, three data subject access requests were filed for the three accounts.
Legally, Facebook considers itself an independent controller of any personal data it collects about visitors to a government Page. Facebook believes it may process those personal data for its own purposes. The DPIA describes 15 main purposes, including profiling and showing personalised information and ads. Facebook uses tracking cookies for that personalisation, also collecting data from Page visitors who do not have a Facebook account. Facebook does not want to offer public organisations a joint controller agreement for those processing operations. Facebook only offers such a contract for a very small part: showing the Page Insights statistics to the Page owner. In view of the absence of contractual agreement on the processing of the iceberg of underlying data processing, the use of a Page results in third party data disclosure. Government organisations have to regard Facebook as a commercial third party company to which they disclose all the personal data of their Page visitors. There is no necessity for government organisations to disclose personal data in this way. Because Facebook does not clearly inform what it does with the data, and how it determines which posts visitors see in their news feed, the visitors cannot give valid consent either, insofar as Facebook asks for such consent at all.
Technically, Facebook uses tracking cookies in a misleading way: Facebook pretends that the datr tracking cookie is a strictly necessary cookie. Facebook collects a lot of data about Page visitors' behaviour, but does not reveal the logic of using those data to show personalised posts, recommended other content and ads.
On top of that, there are problems with the transfer of personal data to the United States, a country without an adequate level of data protection. Transparency statistics published by Facebook about disclosure to law enforcement and intelligence services in the US show that there is a real risk that such orders include data from visitors to Dutch Facebook Pages.
The DPIA concludes that there are 7 high privacy risks, and 1 low, when a government organisation uses a Facebook Page to communicate with a mass audience.
Meta disagrees with the findings and conclusions. A summary of Meta's response, with Privacy Company's response to it, is attached to the DPIA.
This DPIA concludes that government organisations should stop using Facebook Pages if Facebook does not take measures to reduce the high risks. The Dutch government will immediately start a dialogue with Facebook.
We publish this blog about our findings with the permission of the Ministry of the Interior and Kingdom Relations. For questions about the investigation, please contact the ministry's press spokesperson, Thomas van Oortmerssen 0031 6 31 01 97 81.