I don't really get the point of the WSJ article from February 2rd. The headline makes it seem as if Facebook's SDK was spyware.
There were also articles in IT media re-reporting this.
Some people have commented that this is a case that will infuriate privacy commissioners in various countries. In fact, the tone of the article seems to be heading in that direction, but what do you think?
I don't really get the gist of the article, but it seems that the app uses the Facebook SDK to implement AppEvent Optimization.1This seems to be the case when retrieving ads in an event-driven manner.
In terms of how this is structured, it appears that the app sets what type of ad to deliver when a certain event occurs within the app on the Facebook platform, and when the app creates an event that triggers this and sends it to Facebook, Facebook delivers an ad from the category that was just set up to that app instance.
The actual parameters sent are as follows:
name- A required string that describes the event. When app events are sent to Analytics, this name appears in the event log.valueToSum– An arbitrary value that Analytics adds to the ValueToSum value of other app events with the same name.parameters– Any value you want to include in the app event.
Did you put the raw data into "Parameters"?2.
If we consider that the app is ultimately an ad serving app, then Facebook appears to be a Data Processor.3
On the other hand, if you consider the app as a Facebook processor, you could question Facebook's illegality. However, unlike other Facebook ads, isn't this interpretation not strict?
In addition, the IT media article states, "The company has explained to developers that the user data provided by the app will be used for personalizing ads and content on Facebook and for market research." It is written as if Facebook is using the data for its own purposes, but when you look at the English,
Facebook App Events allows you to track these events to view analytics, measure ad performance, and build audiences for ad targeting.
(source) https://developers.facebook.com/docs/app-events/
So the subject is the app developer. So Facebook is just a data processor. In response to the WSJ's inquiry, Facebook said:
Facebook said in its contracts with app developers that they must not send "sensitive information, such as health or financial information," and that the WSJ's investigation findings appear to violate the contract. It also said it is asking the problematic apps identified by the WSJ to stop sending information that users may consider sensitive. It also said it may take further action if the apps do not comply.
(source)WSJJapanese version "Personal information from external apps exposed to Facebook without logging in"
This information is shared with Facebook."2019-02-23
However, this is a breach of contract between the data controller and the data processor, as the data processor has stated "Do not send sensitive data" and has sent it anyway, so they are asking for correction, and it does not seem to be about GDPR or the Personal Information Protection Act. From Facebook's perspective, they would be asking for tokens indicating events to be sent, rather than raw data, which I think should be the case from the perspective of data minimization.
In fact, the concept of Data Processor does not exist independently in Japan's Personal Information Protection Act, but is instead positioned as a third party contractor, which often creates this kind of confusion, but it seems that there is confusion in the U.S. as well. In that respect, I think it was very forward-thinking that GDPR and ISO/IEC 29100:2011/AMD1:2018 neatly distinguish between Controller, Processor, and Third Party to eliminate confusion.
However, there have been a lot of articles about this kind of anti-GAFA recently. If this trend continues,
We are very concerned that if we send it to AWS, it could end up being "Amazon obtaining personal information," and if we send it to GCP, it could end up being "Google obtaining personal information."
footnote
- AppEvent Optimization details https://developers.facebook.com/docs/app-ads/optimization/
- This type of PII being sent without the recipient's consent is called Unsolicited PII, and is covered in Section 29100 of ISO/IEC 4.4.6.
- I need to look at the actual contract for this, but I haven't been able to. If the structure was written so that Facebook was the Controller and the Apps provider was the Processor, then of course Facebook would be out, but with this structure you don't know what will be sent, in other words, you don't know what Facebook will get, so I don't think they would do something stupid like that. By the way, in the case of web advertising, the platform decides what to get, and conversely, the website has no control over it, so the website is the Processor. I've only checked the case of Google though.