Yesterday the story broke that the DPC had conducted a “dawn raid” inpsection of the offices of Facebook arising from concerns that key documentation that the DPC would have expected Facebook to have in place prior to rolling out an application that would be processing special category data (sexual orientation, sexual history, political beliefs, religious/philosophical beliefs, and potentially ethnicity) from users’s Facebook profiles to build an algorithmic match of potential amorous connections.
Vive l’amour, as they say.
The timeline for this action is interesting:
- 3rd of February:
- Facebook informed the DPC that they would be rolling out this dating application on the 13th February. The DPC appears to have asked for information re: any data protection impact assessment or other evidence of decision making (like a decision not to do a DPIA) and were met with a degree of tumbleweed. This does not seem to have been a “prior consultation” type of engagement with the DPC and, from what is known at this point, has all the appearances of a “drive by” briefing by Facebook in which information about the dating app was shared.
- 10th February:
- Authorised Officers of the Data Protection Commission went to Facebook’s Offices and used their powers under section 130 of the Data Protection Act 2018 to enter the premises and conduct searches for any relevant documentation or records and to take away any such documents.
- 11th February:
- Facebook pulls their application, and tells the media that they want to take some extra time to make sure the application is fit for purpose in an EU context.
It’s interesting to note that Facebook’s PR spin is that they have provided all relevant information that they had to the DPC.
That’s a good thing. Not doing that is an offence under section 130(7) of the Data Protection Act 2018, so I would hope that Facebook didn’t hold anything back. Because that would only make the situation worse. Much worse.
However, one would suggest that if you are walking into a meeting with a Regulator who currently has multiple open investigations ongoing relating to your company and you are going to tell them about a thing you are about to do, it might have been a smart move to have a DPIA in your hand ready to give to the Regulator.
After all, true love means never having to say you are sorry, or “we’ve pulled the app”.
Oh.. and I was on the TV talking about it last night.
Dawn Raid Powers
The powers of the DPC to carry out what are referred to as “Dawn Raids” is not new. Pre-GDPR the DPC had these powers under Section 24 of the Data Protection Acts 1988 and 2003. The powers are pretty strong and allow the DPC to effectively look at anything they want, interview anyone they want, or require people on the premises who are employees or contractors to the Data Controller to provide any documentation or information relating to the processing activities being examined. These are powers that have been used in the past, but this Facebook incident is the first time they have been used (to my knowledge) since GDPR and the Data Protection Act 2018 came into force.
It’s worth noting that the DPC doesn’t seem to have been minded to wait around for publicity about the app or the receipt of complaints before doing some door-kicking to get information. This suggests a subtle but important shift in enforcement posture from the DPC.
The “Attitude Test”
Growing up, I was often told to watch that I didn’t fail the “attitude test” with people. This can variously be taken as meaning that I should try to be polite and engaging with clients or peers, and I should be courteous and accomodating to anyone carrying an official badge or warrant, like a police officer or a statutory Regulator. The “attitude test” could be failed by providing a grudging “lip service” response to somethingor a half-hearted effort to do something (like washing dishes).
In the context of the DPC, it is worth noting that Helen Dixon told RTE in 2019 that she felt her office might have “tried for too long” to work with the DEASP to resolve issues before launching an investigation. It appears that key lessons from the PSC investigation have been learned and the DPC may be less inclined from now on to give time to Data Controllers who arrive on her radar unprepared and without their homework done. In the context of the resource constraints on the office this is understandable and is to be welcomed (indeed, we discuss the importance of enforcement as part of the DPC’s Regulatory Strategy in this document.)
Therefore, it is clear that turning up 10 days before a product launch without any apparent homework done to evidence your assesment of the issues and risks associated with that product and its processing of personal data is a course of action likely to cause a Regulator to send some investigators around to see what’s really going on. That is “failing the attitude test”.
The Cost to Facebook
By creating a situation where they had to pull an application at very short notice, Facebook have inevitably incurred some sunk cost expense in a marketing budget and other promotional spend that has had to be put in the bin for a year. After all, an advert promoting the use of a dating app for Valentine’s Day that is rolling out in August is not exactly timely advertising. And as this is Facebook, that might be a rounding error in the grand scheme of things, but no marketing operations manager likes having their budget wasted to that extent.
Particularly when it may have been entirely avoidable.
The Benefit of a DPIA
This incident serves as a “teachable moment” about the importance of DPIAs, and the importance of recording the basis for decisions not to do DPIAs. And, as the emphasis of the DPC now seems to be shifting to the “attitude test” and turning up prepared, it highlights the importance of ensuring your DPIA is not a simple “tick box” activity rather one that actively examines the potential issues and risks to the data protection and privacy rights of the data subjects whose data you will be processing, as well as the impact on their broader fundamental rights and freedoms.
A key part of this is ensuring that your DPIA is done in a way that challenges your organisational thinking and pushes back against assumptions or “preferred positions” that might exist in respect of the proposed processing activities. It should also ensure that you are clear about what are the needs you are meeting, which might actually result in one overall “thing” (a dating app) consisting of multiple processing activities that are being undertaken, some of which might be highly invasive or imapctful on data protection rights.
This is particularly the case where there might be a high residual risk to the fundamental rights of the data subject which would require you to engage in prior consultation with the Regulator.
As one former Deputy Commissioner said to me over a decade ago (in an unguarded moment): “It’s nice when people turn up to meetings pre-tenderised”.
The Castlebridge sales pitch
We’ve been doing DPIAs of various degrees of complexity and depth for over a decade. In a prior role, regulatory risk assesments of processing was a key part of my job. So, if your organisation is considering a DPIA requiremnet, please get in touch (that includes you Facebook).
We also run training courses on DPIA methodologies and how to approach the process in a structured way that ensures you are thinking about the questions you need to be asking to help you get the answers you need. These are available as in-house or public courses. Early bird tickets are available for our public course in April.