By Susan Ning, Wu Han and Zhao Yangdi King & Wood Mallesons’ Commercial & Regulatory group

With the proliferation of personal data protection legislation in different jurisdictions, the conflict between enterprises’ commercial behaviors and personal data protection are widely concerned by the law enforcement authorities around the world. Facebook, for example, with a recent spate of being punished for excessively collecting user’s personal data by using cookies and leaking data concerned over 50 million users, the superstar of open social platforms has suffered a severe losses on its stock market and reputation.

Internet companies such as Facebook have quickly grown into “Internet access” enterprises in the eyes of the users by taking advantages of the open platform. These new types of enterprises are featured in the possibility to provide various value-added services by virtue of its multilateral platform market, through which such enterprises get a large number of different types of user data and then achieve and realize new business models by using big data technologies. As a result, such enterprises become “data driven” companies. It is foreseeable that to achieve their commercial ambitions, such enterprises face inevitable conflicts between their business practices and the protection of personal data. Therefore, how to achieve a balance between such enterprises’ business development and the protection of personal data is becoming a common concern of enterprises, legislation and enforcement authorities in the long run.

King & Wood Mallesons Cybersecurity and Data Compliance Team will publish a series of articles to discuss major data compliance issues which are unavoidable during the operation of “data driven” enterprises in the near future. This article, as the first chapter of the series, will review the recent Facebook incident and look into two relevant data compliance issues concerned in Facebook incident, i.e. data collection and processing by cookies and data sharing under the Open API scenario.

Review on Facebook Incident

1.Belgium VS Facebook

The application of cookies (especially third party tracking cookies) may raise issues on personal data and privacy protection. E-Privacy Directive of the European Union (“EU”)[1], which came into effect in 2002, provides detailed regulations on the issues concerning data controllers’ processing of personal data, which is related to electronic communications including by using cookies. Recently, the case that Facebook was fined by Belgium court brings the privacy and data protection issue of cookie data back to the center of the spotlight once again.

In Belgium VS Facebook, the investigation on Facebook’s data collection and processing by cookies has been running since 2015, when the Belgian Commission for the Protection of Privacy (“CPP”) commissioned a report by researchers from the University of Leuven, which found that Facebook’s tracking of all visitors without explicit consent using cookies breached the Privacy Act of Belgium.[2] The CPP presented two recommendations to Facebook respectively on May 13, 2015 and April 12, 2017.[3] In these recommendations, the CPP has two main concerns: (1) Facebook does not have sufficient and informed consent for its cookie data collection and use; and (2) there is no necessity for Facebook to set and use certain types of cookies in social plug-ins to collect relevant cookie data.

However, Facebook’s remedies failed to satisfy the CPP. The CPP then brought Facebook to the court, and after appeal and retrial, the case ended in 2018 with Facebook’s defeat. [4] On February 16, 2018, the Belgian court ordered Facebook to stop collecting user cookie data and delete all Belgian user data illegally collected. Otherwise, Facebook will be fined EUR 250,000 per day.

2.Cambridge Analytica Data Breach Incident of Facebook

On March 17, 2018, it was reported that a company named Cambridge Analytica harvested over 50 million of Facebook profiles of US voters, and used them to predict and influence choices at the ballot box during the US president election in 2016 by targeting advertisements to those US voters.[5]

The cause of the incident is that in 2013, Alexander Kogen, a researcher of the Cambridge University, developed an application called “this is your digital life” on Facebook and gained about 270 thousand users for this application. When users used this application, the application was authorized to get the users’ social relations and friend’s data. Based on this authorization, the application successfully acquired nearly 50 million users’ data on Facebook through Open Application Program Interface (“Open API”). Then, these data were shared to Cambridge Analytica to send targeted campaign advertising. Facebook blocked the application after it knew the situation in 2015 and required Kogan and Cambridge Analytica to delete all user data, but did not further track or investigate this issue.

However, in 2011, Facebook has already reached a settlement agreement on users’ privacy with US Federal Trade Commission (“FTC“), in which Facebook promised to take and maintain high standard of user privacy data protection, and to strictly restrain the transfer of user’s personal data to other subjects.[6] Therefore, the Cambridge Analytica Data Breach Incident has attracted the attention of FTC, and FTC has begun to investigate the privacy protection issue of Facebook, mainly targeting that whether Facebook violated the settlement agreement in 2011 and whether there is fraud in user privacy protection. At the same time, Cook County, Illinois has sued Facebook, alleging Facebook violates the state’s Consumer Fraud and Deceptive Business Practices Act, of which Cook County, Illinois believes that Facebook’s act of claiming to protect user data but rather not effectively preventing the Cambridge Analytica from the wrong behaviour after being informed of many years. This results in the user data breach and the huge loss in the incident.[7]

The above incidents are the only two widely concerned cases of many battles Facebook was fighting in 2017. Besides the two incidents above, Facebook was fined EUR 150,000 in France for failing to prevent advertisers from obtaining user data[8], 1.2 million EUR in Spain for overdue storage of user cookies and illegal advertising[9], and was investigated in Germany for abusing its market position as a major social network service provider to force users to allow Facebook to collect relevant user data from third party sources.[10]

Analysis and Suggestions

The collection and use of cookie data, as well as the sharing of data under the Open API scenario, may cause compliance problems which Internet enterprises frequently encounters in their daily operation. These enterprises could learn from Facebook incidents and carefully handle their related behaviour concerning data collection, usage, interaction and sharing.

1.Cookie

A cookie is a “small text file” that the Website server installs and stores on a user’s local terminal device when a user accesses one website. Through cookies, website operators can record and obtain user’s access data, such as user identification number, password, times of visits and visit duration, browsing history, etc.

The EU rules on cookies has undergone changes from “opt-out” of the E-Privacy Directive (2002)[11] to “opt-in” of the E-Privacy Directive (2009 revision).[12] In January 2017, the European Commission introduced the Regulation on Privacy and Electronic Communications (“E-privacy Regulation“).[13] E-privacy Regulation, as a special act of the European Union General Data Protection Regulations (GDPR), is intended to replace the current E-Privacy Directive to meet GDPR requirements and will enter into force on May 25, 2018 (the same date when GDPR enters into effect). E-privacy Regulation sets forth stricter rules for the use of cookie and other similar device identification technologies such as web beacon, image pixels, and etc.

In the PRC judicial practice, there are controversies on the nature of cookies. The Baidu case in 2013 reflects such controversy and is the first cookie case in China. The first-instance court held that the tracking cookie is personal privacy. The Appeal Court held that while with private nature, tracking cookie is not personal data. It was held that users’ searching keywords history by using search engine is of privacy nature since it could reflect user’s online activities and preferences. However, such data could not be used to identify specific user once it is separated from the user’s identity and therefore shall no longer be deemed as personal data.

The PRC Cybersecurity Law (“CSL”) took into effect on June 1, 2017. Different from the Baidu case, the CSL adopts the principle of both direct and indirect identification.[14] In addition, the Information Technology – Personal Data Security Specification (the “PRC Specification”), which was released on December 29, 2017, also makes it clear that one data is personal information if such data could identify a specific person or reflect a specific person’s activities, no matter by the data itself or in a combination with other data. In this regard, cookie data such as user browsing history could easily identify a specific individual in combination with other data such as terminal device and user account, etc. Therefore, cookies are likely to be identified as personal data in China. The collection, use and any other processing of cookies should comply with the CSL and other relevant laws and regulations concerning personal data in the PRC.

Now, Internet enterprises operate globally and data flows globally. Although China has not yet stipulated any detailed rules for cookie data, relevant enterprises could refer to relevant EU requirements first for self-assessment and evaluation of the collection and use of cookie data in the following aspects:

  • For each type of cookie data, investigate whether the collection and use is necessary to realize a certain function and whether it exits any non-intrusive alternatives;
  • For each type of indispensable cookie, specify the following aspects: What data will the cookie collect? Whether such cookie data is relevant to the other user data held by the enterprise? Whether the cookie life circle fits the cookie’s intended using purpose? What is the nature and type of the cookie? Whether the cookie is first party cookie or third party cookie? Who controls the collected data?
  • For the cookie policy and notice to the users, guarantee that necessary information for user’s sufficient informed and explicit consent has been conveyed to the users through plain language without obscure technical terms, which is easy for users to understand.

2.Open API

In the Cambridge Analytica Data Breach Incident, Facebook opens its APIs to third party applications as an open platform, through which the third party applications get user data on the Facebook platform. Under this scenario, Facebook, the first controller of the underlying platform and data, shares user data with third party applications, is obligated to fully inform its user about the sharing and to seek user’s informed consent, as well as to take sufficient security management.

However, it was reported that Facebook may have substantial flaws in its data authorization management to third parties. Before 2014, with the user’s consent, there are rare limitations of Facebook on third party applications’ access and collection of the personal data of the user’s friends. Aleksandr Kogan just took advantage of such data authorization management flaws of Facebook and kept collecting and using Facebook user’s friends’ data without informing the user’s friends themselves or getting these friends’ consent. It was not until 2014 did Facebook redesign its platform and require the consent of the user’s friends themselves to obtain such friends’ data. In the meantime, Facebook strictly limit the range of the users’ data to which third party applications could access.[15] In 2016, the “Open API Development Cooperation Model” data authorization rule was established in the decision of Sina vs. Maimai by the Beijing Intellectual Property Court, PRC. The rule in the Sina case is consistent with Facebook’s revised data authorization rule after 2014, which requires a “three levels of consents” for third party applications to obtain data through Open API, i.e. triple consents of “user authorization to the platform + platform authorization to the third party applications + user authorization to the third party applications” are required.

In addition, Facebook is considered having failed to perform obligations of due diligence for data sharing. Prior to sharing data with third party applications (Aleksandr Kogan), Facebook did not assess the necessity of the data collection, the type and size of the data to be collected, the means of data transmission, as well as the third party applications’ data protection capabilities. In this regard, Facebook did not fulfill its obligation of due diligence as a platform. For the data sharing, the PRC Specification explicitly stipulates that “personal data controller should carry out personal data security impact assessment prior to the transfer or sharing of personal data, and take effective measures to protect the personal data subject according to the evaluation result”.[16]

From the remedy perspective, Facebook only took two measures after learning about the fact in 2015 that Aleksandr Kogan has shared user data with Cambridge Analytica: (1) Facebook blocked Aleksandr Kogan’s application; and (2) Facebook asked Aleksandr Kogan and Cambridge Analytica to destroy the user data illegally obtained and to provide the proof of destruction. However, Facebook did not promptly notify Facebook users of such data leakage or take any effective remedial measures. For example, Facebook did not either require or supervise relevant parties holding the unauthorized data to delete all such data and the derived data from such data, or made efforts to ensure that no backups were kept of such unauthorized data. To analyze this scenario under the PRC law, pursuant to Article 42 of the CSL and Article 9 of the PRC Specification, network operators shall immediately take remedial measures, notify users according to regulations in time, and report to the relevant competent authorities. Therefore, Facebook’s omission in the Cambridge Analytica Data Breach Incident may have violated its obligations as a data controller under PRC law.

To learn from Facebook’s lessons, enterprises should build a “data-sharing mechanism” of sufficient data control:

  • For the privacy policy to the users, make sure the specific situation and details of the possible data sharing to third party applications through Open API are fully and explicitly informed to the users; and to get user’s explicit consent for such data sharing;
  • Build up graded authorization system for the data interfaces. Set different interfaces with different authorization based on the sensitivity of the data to be shared. For interface of sensitive personal data, third parties should apply for authorization separately;
  • Before sharing data to third parties sharing, carry out “personal data security impact assessment” on such third part In addition, monitor and track the third parties for their subsequent use of the shared data;
  • Set up early-warning mechanism and take effective measures in time once third parties’ unauthorized access or visit of personal data are detected.

As regards cookies and Open APIs, this article sets forth important compliance issues for enterprise’ reference. In the following series of articles, to better serve enterprises’ compliance need for personal data and privacy protection, we will further explore the following issues related to cookie, Open API, SDK and etc.: the technical principles of these terms, relevant regulatory requirements in the main jurisdictions, relevant law enforcement and judicial cases. We will also share our thoughts on the relevant regulatory rules and provide recommendations for enterprises’ compliance need.


 [1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

[2] Act of 8 December 1992 on the protection of privacy relating to the processing of personal data (“Privacy Act”).

[3] Recommendation no. 03/2017 of 12 April 2017, by the Belgian Commission for the Protection of Privacy.

[4] Facebook ordered to stop collecting user data by Belgian court, The Guardian, (https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court).

[5] Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach, The Guardian (https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election).

[6] Facebook finalized the settlement agreement with FTC, Techsina (http://tech.sina.com.cn/i/2012-08-11/11187493959.shtml).

[7] The Paper News: Facebook is alleged fraud due to abuse of user data, and for first time faced its lawsuit at State Court due to data leak, (http://www.thepaper.cn/newsDetail_forward_2042184).

[8] Facebook was fined 16,000 USD in France for poor user data protection, Techsina (http://tech.sina.com.cn/i/2017-05-16/doc-ifyfeivp5784995.shtml).

[9] AEPD Fines Facebook, fieldfisher (http://privacylawblog.fieldfisher.com/2017/aepd-fines-facebook/). On March 15, 2018, it was reported that Spain’s data protection agency (Agencia Española de Protección de Datos, AEPD) fined Facebook with 300,000 EUR for improper user privacy protection once again.

[10] Germany to Facebook: abusing its market dominance to collect user data, ifeng.com (http://finance.ifeng.com/a/20171220/15879269_0.shtml).

[11] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

[12] DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

[13] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC.

[14] See: Article 76 (5) of the PRC Cybersecurity Law.

[15] Yanqing Hong: Looking at the data protection and data flow problem from Zuckerberg’s statement, (https://mp.weixin.qq.com/s?__biz=MzIxODM0NDU4MQ%3D%3D&idx=1&mid=2247484996&sn=13095c2496e958bfda14722a9ea05ede).

[16] Article 8.2 of Personal Data Security Specification.