Here is a report from the New York Times dated 3rd June 2018. It reports that Facebook has current deals with many “device
manufacturers” and that under the deals the manufacturers were given access to the personal data of Facebook users.
The important elements of that story are as follows:
1. The report is of current events, i.e., events after the EU General Data Protection Regulation (“GDPR”) came into force on 25th May 2018.
2. The Facebook users (like the New York Times reporters and the newspaper’s readers) had no knowledge that the “sharing” was going on. (Reputedly, the US Senate is looking into it.)
3. Those Facebook users had not given their consent to the “sharing”.
4. In the absence of explicit consent the sharing was a breach of Article 6 GDPR (and probably Article 9 GDPR).
5. Article 3 GDPR has the effect of extending the GDPR jurisdiction globally.
6. Article 26 GDPR defines “joint controllers”, a definition which on known facts embraces Facebook Inc. and Facebook Ireland Ltd.
7. Consequently, the benefits of the GDPR extend to and
are available to any Facebook user affected by the “sharing” by Facebook of the personal data. Those Facebook users can be resident anywhere (including the USA) because Facebook Inc. and Facebook Ireland Ltd. jointly control the personal data of every Facebook user in the world.
8. The relevant regulatory authority to address any complaint arising is the Irish Data Protection Commission. The Commission is a body empowered to apply fines of up to €20 million or 4% of global turnover, whichever is largest.
9. If point 6 above applies, the fine would be levied with regard to the turnover of Facebook Inc. and Facebook Ireland Ltd.
What are Facebook’s users going to do?