Privacy espresso seriesResourcesAugust 11, 2022Datatilsynet’s DPIA on Facebook: main findings from the Norwegian DPA

In this PrivacyEspresso we discuss with Suzanne Lie, senior advisor at the Norwegian DPA (the Datatilsynet) about the DPIA conducted by the data protection authority to establish whether or not to use Facebook.

The Authority has been the first organisation to undergo such activity. For this reason, the Datatilsynet has gathered a team of lawyers, technologists and social media experts to consider all the possible perspectives. The background considered was made by previous cases related to Facebook, including the ECHR decisions associated with Facebook.

The main findings of the Datatilsynet were:

1. Facebook has a standard contract, the terms of use (ToU), but its purposes for data usage are too vaguely defined.

2. There is no control over what users will post, and this is a duty that any company would have as a joint controller.

3. Also, the ToU does not provide a complete overview of how data are processed

4. They noticed several processing activities that were not included in the ToU/processing contract per se.

5. Data protection by design and by default couldn’t be attained to the standard contract.

6. In a more general sense, the type of data collected and shared can easily be used for profiling. Their usage is neither predictable nor transparent for users who can be manipulated or discriminated through such data.

7. Those risks are not just theoretical, as it is known how Facebook uses data for profiling and similar activities.

8. The Facebook page owner can’t help their users to execute their rights.

In light of this, the DPA has concluded that the risk of using this social media is too high. In particular, the company is not transparent enough about how the data is processed and where it is transferred. Consequently, several other public offices have decided to shut down their Facebook pages.