Personal data protection & management - Meta
Ada Raczynska, Alexi Teyssier, Elizabeth Ventura, Nicolas Prevost, Paolo Santalucia, Tristan Nougaro & Jeanne Streiff
1- Does the policy comply with all GDPR principles?
To examine the extent to which Meta’s complies with all GDPR principles, it is necessary to dig into the
essential principles that organizations must follow when processing personal data:
● Transparency: Companies must provide individuals with clear and understandable information about
their rights regarding the collection and use of their personal data.
● Lawfulness: Organizations must have a legal basis for processing personal data.
● Fairness: Organizations must treat individuals fairly when processing their personal data.
● Accuracy: Organizations must take reasonable steps to ensure that personal data is accurate and kept up
to date.
● Storage limitation: Organizations must not keep personal data for longer than necessary for the
purposes for which it is being processed.
● Integrity and confidentiality: Organizations must ensure that personal data is secure and protected
against unauthorized or unlawful processing.
Therefore, based on the Meta privacy policy, it comes into sight that the company has considered the GDPR
principles and has taken steps to comply with them. For instance, the policy provides information about the
types of personal data collected, the purposes for which it is used, and the legal bases for processing the data.
The policy also describes the rights that individuals have with respect to their personal data, including the right
to access, rectify, and erase their data.
However, it is important to evaluate CNIL's documents to determine if Meta's privacy policy adheres to all
GDPR principles based on CNIL's unique interpretations and expectations, as the French Supervisory Authority
may have distinct viewpoints.
Likewise, based upon Article 3, 5, 6, 9, 22, 12 and 44, the following conclusions can be made:
● As Meta processes personal data of individuals in the EU, the GDPR applies to the company (Article
3).
● The Meta privacy policy complies with Article 5 as it provides information about the purposes for
which personal data is collected and the legal bases for processing the data.
● The Meta privacy policy identifies several legal bases for processing personal data, including consent,
contractual necessity, and legitimate interests, which would appear to comply with the requirements of
Article 6.
● The Meta privacy policy indicates that it may collect certain types of sensitive personal data, but also
provides information about the legal bases and purposes for processing this data (Article 9 and 22).
● The Meta privacy policy provides information about rights of individuals with respect to their personal
data, as well as information about how they can exercise their rights (Article 12).
● The Meta privacy policy provides information about the company's transfer of personal data outside of
the EU, and indicates that it implements appropriate safeguards, such as standard contractual clauses, to
protect the data (Article 44).
Based on the above points, one can conclude that the Meta privacy policy addresses many of the requirements
set out by the relevant articles of the GDPR, including those identified by CNIL.
2- What are the legal bases for processing personal data? Are the stated bases realistic?
In addition to legal bases for processing personal data, The Meta privacy policy identifies several of them:
� ● Consent: individuals give their explicit and informed consent to the processing of their personal data
for specific purposes.
● Performance of a contract: it refers to situations where processing personal data is necessary to fulfill a
contractual obligation.
● Legitimate interests: processing is necessary for the legitimate interests pursued by Meta or a third
party.
● Compliance with legal obligations: principle that states that Meta may process personal data if it is
required to comply with any legal obligations that are applicable to it.
Based on Meta's privacy policy, it appears that the company has considered the various legal bases for
processing personal data and has identified those that are relevant to its specific activities. The GDPR requires
that the legal basis for processing personal data must be appropriate and relevant to the specific purpose for
which the data is being processed. However, whether these legal bases are realistic would depend on how they
are applied in practice by Meta.
3- Does the controller comply with all her obligations? What about data processors and third parties?
Meta controller complies with the GDPR and is held to its obligations. The controller has a justification for the
collection of data from their customers in the parameter of “Legit interest of the company: Commercial
purposes”. This interest serves to establish the normative framework for the data controller's obligations, with
particular attention to those areas where both compliance and potential breach of the regulation are most likely
to occur.
The controller meets the requirements for data subjects' legal rights, and also ensures that it meets the GDPR’s
requirements for data protection by design and by default. This includes careful consideration of the technical
and organizational risks on using the platform, Meta has set a Service condition document and a Confidentiality
policy document, explaining their service offers and claiming they developed measures to ensure security but it
does not expose possible risks and follow-up procedures.
They also have a Privacy notice, Policy notice and Cookie notice. Meta states on keeping the information as
long as they need it to provide their Products and services, in order to comply with legal obligations, or protect
their interests or those of others, and the time is decided on a case-by-case basis.
The controller had ensured international personal data transfers by joining the US-UE Privacy Shield
Framework, even though it is no longer a valid mechanism to comply with EU data protection requirements
when transferring personal data from the European Union to the United States (Meta headquarters), Meta is still
required to comply with this agreement.
Meta has pointed out Meta Platforms Ireland Limited as their data controller, we can reach to them online and
by mail, they have built an easy-to-use platform dedicated to answer questions and provide help.
As for the processors, Meta itself processes the information they use for commercial and services purposes, all
data is automatically processed by their systems. In case they need to use a third-party processor, they look for a
trusted supplier, who is authorized to access customers information and is required to comply with security and
confidentiality standards. They do not go further in explaining whether or not their external associates comply
with the GDPR and its obligations, since they state each entity has their own privacy policy and procedures.
Meta owns and operates a bunch of companies related one to another, they may share information about
customers within their family of companies to facilitate, support and integrate their activities and improve their
services. For partners, suppliers, service providers and third parties, Meta also requires them to follow certain
rules relating to how or not they can use and disclose the information provided to them. Meta also shares
information with third parties in response to legal requests, to comply with applicable law or to prevent damage.
�4- Does the policy have specific rules applicable to minors? Eventually, how is the consent of minors validated
by parents and guardians, in practice?
In its privacy policy, Meta lists specific rules applicable to minors in terms of legitimate interests. Legitimate
interest is one of the legal bases provided in the GDPR on which personal data processing can be based. The
interests of organizations must not create an imbalance to the detriment of the rights and interests of the
individuals whose data is processed.
Meta is first committed to considering whether the user is a minor when assessing legitimate interests. They
offer special protections for minors to ensure that they are aware of the risks, consequences, safeguards, and
rights associated with the processing of their information.
When personalizing Meta products as well as providing and improving Meta products for underage users,
legitimate interests of minors are invoked. These can include the legitimate interest in creating and providing
products that allow people under the age of majority to discover and communicate with information that may
interest them and to use tools and features that ensure their well-being. Also, personalized Meta products while
providing additional safeguards for people under the age of consent in their country. Meta evokes a tailored
policy when promoting the safety, integrity, and security of Meta Products to underage users. The goal is to
ensure that minors are protected and do not have access to harmful or inappropriate content. For example, in
early 2023 Meta decided that only age and location can be used in ad targeting of 13–17-year-olds on Facebook
and Instagram. However, they give few examples of these special protections for minors.
Since it is illegal to process the personal data of a child under the age of 13 without the given or authorized
consent by the person having parental responsibility for the child, Meta protects itself by not giving them access
to services containing data processing. However, no verification is performed, the user under 13 years old can
simply change his date of birth to an earlier date.
In terms of parental control, Meta offers for example on Instagram the possibility for parents to supervise their
child's account, subject to the minor's agreement. For example, parents can set a time limit for using the
application but will not have access to private messages. However, this is only one of the rare possibilities of
parental control. Regarding minors and the processing of their personal data, no consent is requested from
parents or guardians. Meta seems to rely on parents to educate and sensitize their children.
5- Is the notice written in plain language? Does it increase or decrease the trust of an average data subject?
Meta's privacy policy is written in clear and plain language as required by the GDPR. There are also videos and
images to illustrate the notice. In case some words are complicated, Meta defines it and makes it accessible to
everyone. Moreover, the privacy policy is easily accessible. When a privacy policy is written so that everyone
can understand it, even minors, it inevitably increases the trust of the people involved. By making the
information simple, people feel that it is clearly explained to them how their data is processed without leading
them on. Users can more easily understand their rights and how their data is processed and for what purposes. If
data subjects can't understand what the company is doing with their personal data, they can't trust them.
6- Are all data subjects’ rights recognised? How can data subjects exercise their rights?
The data subject rights are composed of five rights. In the Meta privacy policy, every rights are mentioned and
highlighted :
- Right to information : All subjects can be informed about the use of their personal data
- Right to access: All subjects can have access to their personal data and ask for a copy of it in the
parameter of their profile
- Right to rectification and erasure : You can as a data subject modify your personal data If it is incorrect
of inaccurate and as well ask to delete it
- Right to data portability: You can receive your personal data in format that is readable and
understandable
� - Right to object: In the parameter of your profile, you can check and object for the processing of your
personal data according to several criteria
For Meta, data subjects can exercise their right by going to their profile and looking at the parameters. In the
parameters, they will be allowed to explore the use of their data, what data is being used and as well decide what
they want to change or object. You can as well contact the DPO of Meta if you want to have more information
or if you think that right is not considered.
7- Does the notice effectively implement privacy by design and default? Justify your answer with excerpts.
Data protection by design can refer to the use of pseudonymization and encryption of the data for example,
meanwhile data protection by default refers to the actual privacy that the users benefit within the development of
the platform.
Meta’s privacy policy indeed mentions this concept of privacy by design and default. For example, they assure
that they are always looking to improve the privacy of their users and to enable them more rights.
They also ensure that by default some settings will protect the users and also help them to have more control
over their personal data.
8- Does this notice apply worldwide? Are there different policies applicable to different countries or regions?
What would be the reasons for one or another strategy?
Yes, Meta's privacy policy is applied globally, but it differs depending on the country or region where users of
its various platforms such as Facebook, Instagram or WhatsApp are located.
�The fact is that there is no legal instrument dealing with the privacy of online users on an international scale, but
only territorial laws on the privacy of individuals and the data they generate that can be applied differently in
different countries or regions. So thanks to this type of legal shield, i.e. laws that provide a legal framework for
how individuals' personal data are processed, collected, used and stored, they can ensure a balance in the digital
market and protection for users of this type of so-called online platform.
In our personal case, in France, the most prominent example of privacy laws is the EU General Data Protection
Regulation (GDPR) or the European ePrivacy Directive. Other prominent examples in Meta's case, given that it
is an international company, are the California Consumer Privacy Act (CCPA), the California Online Privacy
Protection Act (CalOPPA) or the Canadian Personal Information Protection and Electronic Documents Act
(PIPEDA).
In general, these laws are applicable within the borders where they are adopted, but some of them, particularly
those on data privacy, may include special regulations that allow the laws to be applied internationally
("extraterritoriality"). These laws can play a crucial role in influencing one or more strategies of a company such
as Meta. Taking our example of a user of one of Meta's platforms in France, for the GDPR to apply, a controller
or processor does not only have to reside in the EU. From these platforms, such a controller or processor can
offer goods or services or monitor the online behavior of individuals by collecting and processing their data in
the EU like Meta, so the organization must comply with the GDPR, even if it is based outside the EU.
9- Does the notice refer to international data transfers (outside the EEA)? Eventually, how? How is the GDPR
level of protection guaranteed?
Yes the private policy of Meta is applying and referring to international data transfers, outside of the EEA.
In Meta's privacy policy, there is a section dedicated to the question of "How do we transfer information?” This
section is divided into three parts:
The second part explains "Where is this information transferred to?”. Confirming the fact that data is transferred
internationally outside the European Economic Area (EEA) from Meta Platform Ireland Limited where the data
collected and monitored is transferred, transmitted, or stored and processed in locations where Meta has
infrastructure or data centers including the USA (outside of the EEA), Ireland, Denmark and Sweden.
The first one explains "Why is information transferred to other countries?” so we can see that Meta gathers
information and shares it internally and in data centers. They also share it externally with their partners,
suppliers and service providers in order to allow the company to use and provide certain services and enhance,
fix and implement products.
In the third part of this section, there is a source link named “How information is protected when being
transferred to the United States of America.”. This link refers to a section of the website Meta, “Steps We Take
to Transfer Data Securely”.
Facebook relies on Standard Contractual Clauses to transfer data outside the EU. Since the ruling, Facebook has
worked to follow the steps laid out by the European Court of Justice to ensure that we can continue to transfer
data safely and securely under the GDPR. The measures taken by Meta to protect data include encryption and
security, no “back door” governmental access, robust policies, transparency towards policy and products, lawful
basis for processing, and data breach notification. Meta ensures that any transfer of personal data outside the
European Economic Area (EEA) is done in compliance with GDPR requirements, such as through the use of
standard contractual clauses.
�10- Add your comments, criticisms and/or final evaluation of the notice (grade it from 1-10).
The ultimate result of our thorough analysis is that Meta has studied the GDPR principles and has taken steps to
comply with them.
Meta’s privacy policy provides clear content and informations about individuals' rights regarding the collection
and use of their personal data.
Additionally, the policy identifies several legal bases for processing personal data, such as consent, contractual
necessity, and legitimate interests, which appear to comply with the requirements of Article 6 of the GDPR.
However, during our analysis we also knew that it would be important to evaluate CNIL's documents to
determine if Meta's privacy policy adheres to all GDPR principles based on CNIL's unique interpretations and
expectations. We also analyzed, how Meta applies the legal bases for processing personal data in practice.
Overall, it seems to us that Meta has made an effort to comply with the GDPR and has provided transparency
and clarity around their data processing activities.
Furthermore, Meta's notice appears to be well-written and comprehensive in its approach to addressing potential
concerns related to the use of the platform. The notice covers a range of topics related to user privacy, data
security, content moderation, and community standards, providing users with a clear understanding of what is
expected of them when using the platform
However, there may be room for improvement in terms of explaining the risks and follow-up procedures related
to their data processing activities, as well as providing more information about their external associates'
compliance with the GDPR.
We think that ultimately, one of the biggest strengths of the notice is its transparency. Meta clearly explains its
policies and procedures related to user data, content moderation, and community standards, giving users a clear
sense of how their information is being used and how they can expect to be treated when using the platform.
Another strength is the level of detail included in the notice. Meta provides users with specific examples of
prohibited content and behavior, making it easier for users to understand what is and is not acceptable on the
platform.
One potential area for improvement could be the organization of the notice. While the information is presented
clearly, it might be helpful to group similar topics together or use headings to make it easier for users to navigate
the notice.
Another criticism that could be made about the notice is about the occasional lack of transparency: While Meta's
notice provides some information about its policies and enforcement, it doesn't dive into great detail about how
decisions will be made, or how users can appeal decisions that they feel are unjust towards their rights. Without
greater transparency, it will be difficult for users to trust that Meta is enforcing its policies fairly and
consistently.
Overall, based on our analysis, we would give Meta's notice a score of 7 out of 10 based on its quality. While
there is always room for improvement, Meta's notice does a good job of providing users with the information
they need to use the platform safely and responsibly.
