The Irish Data Protection Commission (DPC) told us it’s asked Facebook to provide more information on what data is collected via the market research program, codenamed ‘Project Atlas’, so that it can determine whether there are grounds for further investigation.
“The Irish DPC only became aware of this story through this morning’s media reporting. Before we can make any assessment as to whether or not there are any data protection concerns, we will need to understand better to what extent, how and on what basis the personal data in question is being processed and used. We have asked Facebook to provide us with this information,” said the DPC’s head of communications, Graham Doyle.
Under European union law there are special requirements for processing minors’ personal data. And, as we reported earlier, Facebook’s research program is open to people around the world — although the company has yet to confirm whether it has any teenage participants in Europe. (We’ve asked and will update this report with any response.)
If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime. (Facebook’s international HQ is located in Ireland, which makes the Irish DPC the lead agency for any investigation of the project.)
Less aware of the risks
Setting out conditions applicable to consent for processing the personal data of children aged 13 or older, one section of text from the GDPR reads: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”
“Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand,” runs another.
The VPN app that Facebook has been using as a data-harvesting vehicle (since we reported on the story it’s closed down the iOS version of the app) requires participants give root access to their device — potentially affording the company a very high resolution view of their digital activity indeed.
According to an investigation we commissioned data continuously collected via the VPN app could include private messages in social media apps; chats from in instant messaging apps – including photos/videos sent to others; emails; web searches; web browsing activity; and ongoing location information.
Although Facebook has also not confirmed exactly what data types it pulls via the program.
Participants are offered payments of up to $20 (in e-gift tokens) to incentivize them to sign up to have their data harvested on an ongoing basis, with the program open to people aged 13-35.
Facebook says parental consent is required for minors aged 13-17. But it’s not clear how robust the company’s age verification process is — after BBC journalist Dave Lee reported being able to sign himself up to participate in Project Atlas, earlier today, as a “14-year-old boy… with two kids”.
“It required no proof of parental consent at all. I’ve just been sent a link to download the iOS app, ” he added via Twitter.