Facebook’s T&C and the GDPR: A Case Study

Social media websites such as Facebook have not only increased manifold in the number of users and popularity but also have been regarded as important means of shaping public discourse making it one of the most sought after modes of advertising. These websites are beneficial for both vendors as well as consumers. Facebook, in order to become more efficient, has used several tools which have helped them provide more personalised information to its users. By enhancing its capacity to predict a person’s (data subject) likes, dislikes and preferences, Facebook has become overly appealing to vendors who can now rework and streamline their resources in identifying the target audience more accurately. Websites such as a Google and Facebook provide free access to their platforms to users thereby monetizing their information in an attempt to stay financially afloat.[1] Leaving aside the use of the website for commercial gain, similar features have also acted as attractive platforms to campaign for political parties, for instance, the Cambridge Analytica Scandal.

 [Nakul Chengappa is a third-year law student at the School of Law, Christ (Deemed to be University), Bengaluru]

In this sense, the importance of Facebook has grown by leaps and bounds but has also simultaneously highlighted the need for a more organized, technologically advanced mode of regulation which protects the data of the data subject. Thus came into being the General Data Protection Regulations (‘GDRP’), adopted in the year 2018 thereby replacing the Data Protection Directive 95/46/EC on privacy (”95 Directive’). These regulations are not free from challenges – one of the biggest of them being technological illiteracy. Data subjects themselves are oftentimes not well-versed with the mode of collection of data, its use, the implications of consent. In other words, the problem lies in the fact that while consent as an empty formality is fulfilled, informed consent may largely be lacking.


Facebook’s compliance with the GDPR guidelines

In this section, it is determined whether Facebook’s terms of service, particularly whether its data policy is such that it is compliant with the GDPR guidelines. After the Safe Harbour Case, Facebook’s terms and conditions have undergone substantial changes in order to protect their users’ privacy. The intention to abide sincerely by the guidelines is set out in the data policy. In order to implement the GDPR guidelines, Facebook has been forthcoming in identifying certain principles such as transparency, control and accountability.[2] Its privacy principles, also state that Facebook has adopted a form of character whereby the data subject has been given predominance and utmost control over their subject.


a) Application of GDPR to Facebook

Through Article 4(7)-(8), the GDPR sets out which entities are to be brought within the ambit of the regulations. Article 4(7) refers to controllers whereas Article 4(8) refers to processors. Controllers, according to the regulation are those who are to determine the purposes for which data is collected, how it is processed. Processors, on the other hand, are those who process said information on behalf of the controller. By Facebook’s own admission, it operates the majority of its services as a data controller. However, there are some instances in which they operate as a data processor when working with businesses and other third parties.[3] Given these vast definitions and Facebook’s own recognition of its role as a data controller/processor leaves no room for doubt as to the application of the regulation to the website which by extension, obligates Facebook to comply with the same. These definitions coupled with the Regulations regarding territorial,[4] material[5] and subject matter jurisdictions,[6] clearly enables the application of the laws to Facebook, specifically in relation to all those data-subjects who access the service from the European Union.


b) Nature of information collected and processed

Among the information collected by Facebook, it is laid out in the data policy that primarily, Facebook stores information that is provided by us, information relating to the device one uses the website and information from partners. In relation to information provided by us, information relating to our likes, preferences, information relating to one’s political orientation etc. Information is also available regarding our transactions on the website. Furthermore, information associated with the device from which Facebook is used such as GPS, networks and connections is also collected by Facebook. It also has access to information that users provide to its partners who include associated businesses, advertisers etc. to whom one may give their information. 

The definition of ‘personal information,’ as laid out in the GDPR is wider albeit similar to the definition mentioned earlier in the ’95 Directive. The definition includes “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”[7] The definition, therefore, clearly brings within its ambit all information collected by Facebook. It is, therefore, necessary that Facebook, being governed by the GDPR and having collected personal information, comply unequivocally with the requirements of the regulations.


c) The right to be forgotten

One of the primary principles of the GDPR is to enhance the level of control that data subjects can exercise over their data when published online. The right of erasure[8] enshrined within the regulations is one such measure which enables the data subject to opt for a deletion of their information previously given consensually. After 2011, when Facebook was charged for unlawful retainment of data relating to data subject even after the account was deleted, it has sought to rework its policy in a manner which guarantees deletion of the data to those persons who wish to delete their account.[9] It has been stated that the information will be deleted but that it will take up to 90 days. The information which may be retained such as messages and log records may, however, not be deleted. It would, however, be right to state that Facebook is in compliance with this requirement of the GDPR as the data which is retained is pseudonymised[10] thereby almost nullifying the possibility of identifying persons based on such retained information. Similarly, Facebook vows to use data and process it only for means mentioned in its policy and with the consent of the data subject.


d) Use of data procured

It has been stated forthwith by Facebook that information provided by the data subjects when activating or using their account will be used for the purposes of personalization of products and services (targeted advertising); help business by providing analytics, promote safety and integrity of the data subject by detecting suspicious activity and to promote communication and innovation for social good.[11] Chapter 2 of the GDPR lays down certain conditions which need to be met with before processing the information made available to the website. While most information regarding the subjects’ consumer preferences, interests, likes and dislikes are being processed lawfully, other information such as that relating to one’s political views may not be said to be processed lawfully. This is made abundantly clear also by the Cambridge Analytica Scandal.

Vide Article 9, one’s political opinions, inter alia, cannot be processed unless and until ‘explicit consent’ of the data subject has been obtained. While a defence may be found in clause (e) of sub para 2, no other provisions of the Regulations permit the processing of such information. The Cambridge Analytica Scandal, therefore, is vital in upholding this regulation whereby sanctions are imposed on Facebook for enabling the processing of information relating to political orientation thereby skewing the true perception of the American masses regarding their presidential elections. However, the true liability of Facebook is under question considering its lack of involvement. It is pertinent to note that information was passed on directly to Cambridge Analytica. Liability can therefore only be attached to Facebook if it can be proved that it had knowledge of the activities of its users which may prove to be highly difficult.

The need to regulate such instances, however, continues to exist. Earlier, these intermediaries were exempted from liability owing to the fact that the contrary may, in fact, impose onerous obligations on the websites. They would, therefore, refrain from carrying out business which would, thereafter, have other socio-economic implications. For instance, an example of such immunity is also present in India, in Section 79 of the Information Technology Act, 2000It can therefore not be said that Facebook is in violation of the provisions of the GDPR as even in its policy, it is stated that such sensitive information may be given additional protection in accordance to the protection accorded to it in the country of the data subject. This, therefore, implies that Facebook is willing to offer heightened protection of such information belonging to those data subjects who operate the website from within the European Union.


e) Consent and Autonomy

Both the foundation of privacy laws as well as GDPR lies in the attempt to maximise the data-subjects autonomy and control over their own data. This autonomy, in turn, correlates to the need for consent of the data-subject before using their data. This requirement of consent has also been explained within the GDPR. This requirement of the GDPR is fulfilled provided the consent so given is specific, unambiguous, free and informed.[12] Facebook is largely compliant with all those requirements as mentioned in Chapter 3, which although relating to the overall rights of the data-subjects are, in a way, connected with the predominant need for consent. For instance, the right to access by the data subject,[13] is complied with as Facebook allows its users to download all data belonging to them that has been used by the website.[14] It also clearly states all that is relevant in order to ensure GDPR compliance in relation to the data of the data subject. In such a sense, Facebook has been instrumental in enhancing the nature of control possessed by the data-subject over their data. However, in relation to information that may be required by bonafide law enforcement agencies, Facebook has, in public interest, retained the right to retain such information and hand over the same to such agencies as well.


f) Cross-border transfer of information

Facebook admittedly shares information offered by data subjects worldwide. However, they are still in compliance with Chapter 5 of the GDPR. It is necessary that all requirements of Chapter 5 are complied with before transferring the data internationally.[15] Adequacy decisions which are to be considered before sharing the information is a mandatory consideration by Article 45 of the GDPR. Facebook, in its terms and policies, has also mentioned that not only does it take into account the adequacy decisions but also sources the standard form clauses in order to transfer such information internationally. It is also necessary that the same be agreed to by the data subject.[16]



In conclusion, it is visible that Facebook is compliant with provisions of the GDPR. In theory, however, it may seem that most websites are more or less compliant with the laws that require compliance. However, it may be noticed that enforcing liability for data-breaches is tricky not simply because of the website’s laxity in the handling of their data-subjects’ information but also because of the role played by several other factors which require an institutional change transcending any change that a mere law may bring about. For instance, although these provisions exist on the website and are being consented to by users, very little of this information is actually processed and understood thoroughly. Not only is it difficult to comprehend the legal and technological jargon but also to be able to exercise one’s autonomy effectively.


[1] Chris J. Hoofnagle & Jan Whittington, Free: Accounting for the Costs of the Internet’s Most Popular Price, 61 UCLA L. REV. 606, 628 (2014).

[2] Accessible at https://www.facebook.com/business/gdpr. Last accessed on 28-04-2019.

[3] Accessible at https://www.facebook.com/business/gdpr, last accessed on 28-04-2019.

[4] GDPR Art. 3.

[5] GDPR Art. 2.

[6] GDPR Art. 1.

[7] GDPR Art. 4(1).

[8] GDPR Art. 17.

[9] Available at https://www.facebook.com/help/125338004213029. Last Accessed on 28-04-2019.

[10] GDPR Art. 4(5).

[11] Available at https://www.facebook.com/about/privacy/update. Last Accessed on 28-04-2019.

[12] GDPR Art. 4(11).

[13] GDPR Art. 15.

[14] Available at https://www.facebook.com/help/1701730696756992?helpref=hc_global_nav. Last accessed on 28-04-2019.

[15] GDPR Art. 44.

[16] Available at https://www.facebook.com/about/privacy/update#. Last accessed on 28-04-2019.

Leave a Reply

Your email address will not be published. Required fields are marked *