EPRS | European Parliamentary Research Service
6
enables independent developers to build
applications based on Facebook's data. Meta
continuously
updates the technology. Meta
also collects data relating to non-Facebook
users and their devices and apps each time they
visit publicly accessible Meta services, from
business partners (information sharing) and
from Facebook users (contact uploading).
Meta collects information provided by the
users, including their account, contact and
content data. It logs user activities, including
content views, interactions, purchases,
hashtags used, use of social plugins
and
Facebook login, as well as the time, frequency
and duration of activities on Meta products
(activity data). As part of activity data, it also
logs what users see through Instagram's
camera feature, background sound from voice-
enabled features, and communication-related
data (
subject to the e-privacy rules).
Additionally, it records and infers information
from and about friends, followers and other
connections. It also collects device, network,
app, and browser information, including
whether Meta's app is in the foreground or if
the users' mouse is moving (platform,
platform usage and network data). When
users activate Meta's location services fu n ction,
Meta collects location data from the GPS and,
depending on the operating system, other
device signals such as nearby Bluetooth or Wi-
Fi connections. Even if locations services is
turned off, Meta
receives and uses location-
related information from IP addresses, check-
ins, events,
metadata from photos and
information about internet connections. From
partners, measurement vendors and third
parties, Meta obtains information about user
activities within its products and across third-
party websites and apps (third party data).
This includes information from the websites
users visit, the way they use partner products, their purchases and transactions data, as well as
information on their interactions with ads. Other information partners share with Meta includes
users' email addresses and device IDs (for the purposes of targeted advertising).
Amongst other things, Meta uses the information it collects to personalise products and ads; provide
and improve products; derive business insights (business intelligence); provide measurement,
analytics and other business services; as well as to communicate with users. Product
personalisation includes personalising features, content and recommendations, such as one's
Facebook feed, Instagram feed, Stories and ads. To show ads and other sponsored or commercial
content, Meta processes
information, including users' profile information, their activity while they
are on and off products, inferred user interests, and information about other connections. Its
systems automatically process the information collected to assess and understand users' interests
Scrutiny of data processing practices
At the request of the Belgian Data Protection Authority's
predecessor, B. Van Alsenoy et al. drafted a report
analysing
Facebook's policies and terms and conditions. Referring to
the report and with the
backing of several EU SAs, the
Belgian SA published two recommendations and in 2015
also filed a lawsuit against Facebook. The lawsuit is pending
with the Brussels Court of Appeals after the CJEU confirmed
in a preliminary ruling that the Belgian supervisory
authority was competent to engage in legal proceedings,
despite failing to qualify as lead supervisory authority.
Following the Cambridge Analytica scandal, US Se nate and
House Committees held hearings with Mark Zuckerberg
about Facebook'
s data use. CEO Mark Zuckerberg
acknowledged the collection of data on internet users
without a Facebook account (ambiguously termed
'shadow profiles'). Following up, Facebook did not clarify
how many data points it held for the average non-
Facebook user. While Facebook
stated it 'does not create
profiles or track website visits for people without a
Facebook account', it
acknowledged that it 'receive[s] some
information from devices and browsers that may be used
by non-users', as well as 'browser and app logs'.
Considering how the above statement is phrased, it is likely
that this information is recorded in logs. Similarly, the EP
LIBE Committee held
hearings and received two written
post-hearing clarifications. Facebook specified that it uses
information associated with non-Facebook users to
provide services, show ads about Facebook, protect
security, and improve products.
'Facebook made changes to certain terms and policies and
implemented
restrictions on ... data access and sharing'. A
recently unsealed transcript of a 2022 discovery hearing,
which was part of a lawsuit relating to the Cambridge
Analytica scandal,
revealed opaque and scattere d storage
of user data as well as liberal re-use prompting the judicially
appointed independent arbiter to wonder about the
methods Facebook uses to comply with the GDPR.
In early 2022, Mozilla announced that it is collaborating
with the non-profit newsroom The Markup to analyse
Facebook's Pixel tracking network and understand the
kinds of information it collects on sites across the web. The
first
results revealed that Facebook is receiving sensitive
medical information from hospital websites.