There are instances that when you visit a website, you can either make a new sign-up or simply click the button “Login with Facebook.” This is where the breach happens. The moment a Facebook user clicks that button, third-party trackers gather the Facebook user’s data, including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website.
Why are these trackers doing it? Many of these companies sell “publisher monetization services” based on collected user data.
The abusive scripts were found on 434 of the top 1 million websites accessing Facebook through the “Login with Facebook” interface.
According to TechCrunch the “discovery of these data security flaws comes at a vulnerable time for Facebook. The company is trying to recover from the Cambridge Analytica scandal, CEO Mark Zuckerberg just testified before the US Congress, and today it unveiled privacy updates to comply with Europe’s GDPR law. But Facebook’s recent API changes designed to safeguard user data didn’t prevent these exploits. And the situation shines more light on the little-understood ways Facebook users are tracked around the Internet, not just on its site.”
GDPR, which stands for general data protection regulation, is a recent regulation in the European Union (EU) law on data protection and privacy for all individuals within the EU. It addresses the export of personal data outside the EU.
Dipping into Facebook data
The National Privacy Commission (NPC), in its own website (https://privacy.gov.ph/), announced that it opened an investigation into Facebook on April 12, 2018 following Zuckerberg’s admission of the company’s fault in the Cambridge Analytica data scandal that affected Filipino Facebook users.
The NPC sent a formal letter addressed to Zuckerberg, requiring Facebook to submit a number of documents relevant to the case, to establish the scope and impact of the incident on Filipino data subjects.
The investigation is being conducted “to determine whether there is unauthorized processing of personal data of Filipinos, and other possible violations of the Data Privacy Act of 2012,” the NPC said. It intends, in particular, to look into how Facebook shares the personal data of Filipino users with third parties. It will also address the bigger picture of protecting the data privacy rights of the millions of Filipinos who use Facebook in their daily lives.
The bigger question now is whether or not the NPC has the power, the authority, and the mandate to investigate Facebook, much more to penalize it.
NPC mandate includes penalizing Facebook
The NPC was created by Republic Act10173. or the Data Privacy Act of 2012. signed into law on August 15, 2012.
Section 4 of the law provides for its scope which covers “processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.”
So, is Facebook, being based in Menlo Park, California, within the ambit of this coverage? At first thought, the answer is in the negative. However, Facebook established one of its offshore offices here in the Philippines sometime in April 2016.
Clearly, Facebook maintains “an office, branch or agency in the Philippines,” which makes it fall within the jurisdiction of the NPC.
Facebook’s vice president for Asia Pacific Dan Neary said: “Two thirds of everybody in the Philippines is connected to a company page. We started to look at the dynamics of them; 1 in 3 is actually recommending brands on Facebook and it’s a discovery vehicle for most of users. Ninety-five percent of them are talking and discovering products on Facebook.” Take note that an estimated 49 million Filipinos are on Facebook.
The clear-cut jurisdiction of NPC over Facebook was reiterated in Section 6 of the law, pertaining to its extraterritorial jurisdiction. It applies “to an act done or practice engaged in and outside of the Philippines by an entity if” such “entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents” and the said entity “has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information.”
The law sufficiently declares that “if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.” Further, the “maximum penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the abovementioned actions.” With 49 million allegedly affected, then Facebook can be slapped with the maximum penalties of six years imprisonment (for its officers) and a fine of P5 million.
So, the NPC has jurisdiction over Facebook and its officers. Similarly, the NPC can recommend the prosecution of Facebook, including Zuckerberg. Upon successful prosecution, the court can impose the maximum penalty on them.
One final question. If proven guilty, can the Philippines extradite Zuckerberg and have him imprisoned for six years?