Privacy consultant Alexander Hanff has formally accused Meta and YouTube of unlawful surveillance of EU citizens. According to The Register, the allegations center around the use of tracking scripts without explicit consent, a potential breach of Ireland's computer abuse law. The complaints, lodged with Pearse Street Garda in Ireland, claim that both companies have engaged in unauthorized data collection and monitoring practices.
Alleged Violations and Legal Framework
According to Hanff, Meta has been processing data for behavioral advertising without a proper legal foundation for over five years, since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018. He highlights specific sections of the Criminal Justice (Offences Relating to Information Systems) Act 2017: Section 2, which prohibits unauthorized access to information systems, and Section 5, which forbids the interception of data transmission within an information system without authority. Hanff argues that his browser's Do Not Track (DNT) setting was overridden when these companies deployed tracking scripts, thus constituting a criminal offense.
For YouTube, the complaint pertains to its system that detects the use of ad-blocking software, essentially viewing it as spyware. Hanff has already filed a civil complaint with the Irish Data Protection Commission over this issue and now seeks criminal action as an expansion of his legal strategy.
Past Enforcement and Current Implications
The move to file criminal complaints stems from dissatisfaction with the pace and efficacy of regulatory enforcement in the EU. In Hanff's view, fines and actions have failed to sufficiently deter companies from engaging in invasive advertising practices. By invoking criminal law, he intends to put greater pressure on companies to comply with data protection legislation. Moreover, the Irish law implicated would hold company officers personally accountable for authorizing such surveillance, potentially leading to a significant shift in corporate behaviour towards privacy.
Meta and Google have both declined to comment on the issue, while a response from the Irish authorities is pending. The outcome of these complaints could set a precedent in the enforcement of privacy laws against major tech corporations in the EU.
Meta/Facebook's Long History of Regulatory Troubles
Meta is already in hot water with European regulators, and is potentially facing a ban on all personal data processing in the EU. The European Data Protection Board (EDPB) has instructed Ireland's Data Protection Authority (DPA) to put a ban on Meta's processing of personal data for behavioral advertising within the European single market.
Meta has a notorious track record of violating user data and privacy when it was Facebook. A rebranding strategy is not sufficient, users demand concrete changes in how Meta safeguards their rights. Meta has previously encountered challenges in the EU due to its data practices. The company faced a hefty fine of €1.2 billion for transferring EU citizens' data to US-based servers. Another penalty of €265 million was levied on Meta in 2022 for not preventing the unauthorized access and online posting of millions of Facebook users' data.
