Facebook has delayed the rollout of its new dating feature in Europe, following officers from the Irish data regulator having popped by to ask why Facebook hadn’t checked in about it earlier or provided the necessary data privacy paperwork.
The Irish Data Protection Commission (DPC) said on Wednesday that Facebook Ireland hadn’t bothered to contact the DPC about its intention to roll out the new dating feature in the EU until Monday, 3 February. That’s not much time, the DPC said, given that this is the first we’ve heard about it, and given that Facebook planned to roll it out just 10 days later.
We were very concerned that this was the first that we’d heard from Facebook Ireland about this new feature […]. Our concerns were further compounded by the fact that no information/documentation was provided to us on 3 February in relation to the Data Protection Impact Assessment [DPIA] or the decision-making processes that were undertaken by Facebook Ireland.
Facebook first started talking about invading Tinder’s space with a dating feature for meeting non-friends back in May 2018 at its F8 developer conference. Then, it launched the in-app dating feature – called Facebook Dating – in September 2019 in the US, after having previously premiered it in 19 other countries, including Colombia, Canada, and Thailand.
Facebook says that it had, in fact, completed the necessary paperwork and shared it when asked. The BBC quoted a Facebook representative:
It’s really important that we get the launch of Facebook Dating right, so we are taking a bit more time to make sure the product is ready for the European market.
We worked carefully to create strong privacy safeguards and complete the data-processing impact assessment ahead of the proposed launch in Europe, which we shared with the [regulator] when it was requested.
When TechCrunch asked Facebook why, if it’s “really important” to get the launch “right,” it didn’t provide the DPC with the required documentation in advance instead of the regulator having to send agents to Facebook’s offices to get it themselves, Facebook said that the company doesn’t think it’s under obligation to do so:
We’re under no legal obligation to notify the IDPC of product launches. However, as a courtesy to the Office of the Data Protection Commission, who is our lead regulator for data protection in Europe, we proactively informed them of this proposed launch two weeks in advance. We had completed the data processing impact assessment well in advance of the European launch, which we shared with the IDPC when they asked for it.
The General Data Protection Regulation (GDPR) requires a DPIA any time a new project kicks off that’s likely to involve “a high risk” to other people’s personal information, be it through individual profiling or processing of sensitive data on a large scale.
A dating app that ties into Facebook’s cornucopia of personal data certainly falls within that sphere.
Facebook hasn’t given any indication of when the new release date will be for Facebook Dating in the EU.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Nonymous
No company needs to submit their DPIA for any kind of approval to anyone before product launch. This article even states that as per the quote from Facebook, so what is the point of this article? No one has done anything wrong here. If all potential products would need to be reviewed and approved beforehand by DPAs that would mean the end of innovation, and that is not the point of GDPR or a DPIA.
Bruzote
LOL! They don’t need to under law, but apparently the Irish Shakedown implies it is in Facebook’s interest to do so.
Thanks for your comment. I’m a regular person when it comes to this topic – nearly totally ignorant. I looked up DPIA and learned it is a process internal to each company. The law requiring DPIA’s is actually quite toothless. The DPIA method is UP TO THE COMPANY, as long as they notify the Data Privacy Officer. As I read the EU GPDR, Facebook need only nominate their groundskeeper to be DPO, then send the groundskeeper a document saying, “We will protect PII of users.” THAT WOULD BE MEETING THE LETTER OF THE LAW. Now, in practicality, that might not be enough to face judgement IF FB is accused of something later. However, there is no apparent requirement to submit anything in the law I read. Is that impression accurate?