Facebook will have to completely change its approach to personal data – at least for its European users – according to a study recently published by researchers from the University Carlos III of Madrid.
Facebook has sensitive, personal, recognizable data of 40% of the European population. The impressive EU regulation on the protection of personal data (GDPR) will enter into force on 25 May, introducing stricter restrictions on how companies can use and store personal customer data. there greatly influence foreign technology companies operating within the EU, since they will no longer be able to use personal data in the highly free and lucrative way they used to.
Facebook one of these companies and will have to completely change its approach to personal data – at least for its European users – according to a study recently published by researchers from the University Carlos III of Madrid.
Personal data held by Facebook
The study reveals that Facebook ranks over 73% of its EU users based on interests related to sensitive personal data, a number of users that corresponds to around 40% of the total EU population. This means that personal data of around 205 million Europeans are not completely anonymous and their identity could be identified on the basis of data stored on Facebook, endangering user privacy and making them vulnerable to phishing attacks, for example.
This practice is strictly contrary to EU law that is about to come into force, as it prohibits the exploration of categories of personal data that may pose a risk to privacy, such as political orientation, religious beliefs, sexual preferences, etc.
Facebook and personal data: classifies tastes and interests
In their conclusion, the researchers – Jos Gonzlez Cabaas, ngel Cuevas and Rubn Cuevas – affirm that one of the reasons why Facebook keeps track of users' interests is the improvement of advertisements, which means that the company is "Commercially exploiting sensitive personal data for advertising purposes", a practice prohibited by the new GDPR and punishable by fines equal to four percent of the company's overall annual turnover.
Facebook: change the approach to personal data
The researchers also encourage the American technology giant to react to the results of the study and to change its approach to personal data as soon as possible:
We illustrate how FB users to whom sensitive specifications have been assigned for advertising purposes could face serious privacy risks, since the identity of some of them could be revealed at low cost through simple phishing attacks.
The results of our work call for a quick reaction from Facebook to remove from its list of ads all those that can be used to identify political orientation, sexual orientation, health conditions, religious beliefs or ethnic origin of a user for two reasons:
(i) this will ensure that Facebook respects the GDPR, (ii) will preserve the privacy of users by attackers who aim to reveal the identity of groups of people linked to (very) sensitive information.
Researchers estimate that personal data could be revealed by malicious third parties, through preferences and interest specifications, for a paltry 0.015 per user. This is not just an alarming fact, but explicitly underlines the need for proper privacy regulation, as should be the case with the GDPR.