Sign up for the DPO Europe Newsletter
We will share useful materials with you and talk about the latest news from the world of privacy.
Facebook, Tiktok, Zoom & Privacy (scandals)
- GDPR
- 20/01/2021
As soon as technology has started developing, people have become more generous with personal data, because in return we get convenience and comfort. We are so used to it that we cannot imagine our world in any other way. Is it safe to live now? Not at all. Any piece of information can be well used against us. We, the data subjects, have lost control over our data in the new digital reality.
The world is full of data-driven companies, which have collection of personal information in the core of their business model. But now we have a trend of care, trust and respect for customers. This is the reason why some corporations are trying to rebuild their public strategy. One of the ways to achieve this is to implement privacy principles and show the result to the public. Still, many declare their adherence to privacy without actually following those principles. Privacy experts from Data Privacy Office prepare some comments about Facebook, TikTok and Zoom.
Facebook: what is with advertising?
Since 2004 Facebook has already encountered numerous privacy scandals related to a wide range of issues from facial recognition to alleged manipulation of user political preferences. One of the most privacy-unfriendly activities of Facebook is tracking user behavior.
Facebook provides one of the most popular platforms for targeted advertising. Many companies choose to use it as a tool for enhancing their marketing campaigns, as well as to get additional revenue from Facebook by showing ads to their clients. In order to use Facebook Pixel, you place a small piece of code on your website, which tracks a user not only on your website, but also on other sites with Facebook Pixel installed, to speak nothing of Facebook and Instagram. Despite its size, this piece of code collects thousands of facts about a person (websites s/he surfs, goods s/he orders, etc.). As a result, Facebook creates a digital profile of a user, which contains not only raw facts, but also predictions and conclusions that Facebook makes regarding a person. Regarding me. Regarding you.
For example, a woman starts searching for goods for newborns, such as bottles, clothes, etc. It’s highly likely that in a couple of days she will appear to see many more ads related to babies and parenthood on Facebook, Instagram and other websites she visits. The reason is that Facebook AI has checked her surfing history and classified this lady as “pregnant or a mother of a baby” (well, to be honest, we do not know the exact term chosen by the Facebook AI, but you’ve got the point). And though there is nothing bad about seeing babies-related ads here and there, the situation may become really awkward if somebody else uses the device of this woman. Especially if she was going to keep this pregnancy a secret for a while. Or if it was her sister, who was pregnant.
Does your customer know that you use Facebook Pixel? Make sure they realize the consequences – it’s a bad idea to play with customer loyalty.
TikTok: we thought it is for adults.
In 2018, an app that is designed to create and watch short videos – TikTok – has gained popularity, and hence a huge number of users. Privacy researchers have repeatedly analysed TikTok and highlighted gaps in personal data protection. It is worth noting that the majority of users are children under the age of 18. According to the GDPR, this category of subjects needs additional protection of their personal data.
When the creators released their application and started attracting users, they did not take special protection of personal data of their target audience seriously: nothing was provided for enhanced protection of personal data of children. The following elements were omitted:
- special protection measures for children
- special protection for children in the context of profiling
- child-centred approach to design of TikTok services in the EU
- special protection measures upon registration to enforce the cut-off age of 13
- mechanism for verifiable parental consent that respects various age thresholds as adopted by different EU member states.
Moreover, if we look at the earliest versions of TikTok’s privacy policy, we see that it was only published in English. In 2020 TikTok updated its policy and published it in 7 EU languages. But, as time has shown, it’s not that simple.
On July 22, 2021 the Dutch supervisory authority fined TikTok for not having its privacy policy written in any of the Dutch official languages between 2018 and 2020. The court reasoned that for quite a long time children (a vulnerable group according to the GDPR) were not aware of the risks of having their personal data processed by TikTok. The court also referred to the guidelines, which said that the controller must provide information in language that a data subject understands.
To be honest, we do not know how this trial will end, as TikTok is appealing against the decision of the supervisory authority. But surely we want such IT giants to respect the rights and freedoms of their users!
Zoom: install is control
The pandemic outbreak meant a terrific success for such online meeting services as Zoom, which went from 10 million daily users in December 2019 to 300 million daily users in April 2020. That time turned out that Zoom misled users about its end-to-end encryption and security, and had inadequate security that led to «Zoom bombings» (when outsiders hijacked Zoom meetings and displayed pornography or posted other disturbing content) and shared user data with Facebook, Google and LinkedIn without user consent or even user notification.
The result of these malpractices was a federal class-action lawsuit in the USA. Zoom agreed to pay $85 mln to be distributed to anyone who had a Zoom consumer account between March 2016 and now (minimum $15 per user) to settle the lawsuit.
This preliminary settlement requires approval by U.S. District Judge Lucy Koh in San Jose, California on October 21, 2021. To mitigate vulnerability risks and avoid shady practices Kaspersky recommends using Zoom’s web interface instead of installing the app on your device, if possible.
On June 4, 2021 Zoom released an updated privacy policy that includes more details about who can «see, save and share» Zoom meeting content, and the kind of data that Zoom collects from users’ devices. Zoom faces the need to make the service compliant with the GDPR.
The use of Zoom software is associated with the transfer of personal data to the USA, which needs additional safeguards according to the GDPR, as the USA does not have a status of a country providing adequate protection for personal data (as compared with the GDPR). This was determined by the European Court of Justice in the Schrems II decision and Privacy Shield, which was previously used as the basis for transfer, was suspended. Standard contractual clauses as a document are not sufficient, because they also need a transfer impact assessment to be performed and appropriate supplementary measures to be put in place to ensure ‘essentially equivalent’ protection.
On August 16, 2021 the Hamburg Commissioner for Data Protection and Freedom of Information Ulrich Kühn has officially warned the Senate Chancellery of the Free and Hanseatic City of Hamburg to use the video conference solution from Zoom Inc.
The message of this article is that certain business models do have privacy violations in their basis, however, in the long run respect for privacy of users pays off. Your company’s adherence to personal data protection is an additional factor of acquiring users’ loyalty: do not underestimate its value.
Contact us
Fill in the form and we will contact you as soon as possible!