The Norwegian Consumer Council (NCC) just reported Facebook to The Norwegian Data Protection Authority (DPA) for breaking European privacy law. This is coordinated with nine sister organisations in six European countries, according to NCC.

Norwegian version here

Updated with response from Facebook

Wedneday this week it came to light that up to 87 million Facebook users may have been impacted by the Cambridge Analytica scandal. This number is significantly higher than the previous estimate of 50 million US citizens.

Norwegian News Agency (NTB) has confirmed that 17 Norwegians downloaded the thisisyourdigitallife app, giving Cambridge Analytica access to personal information. As a consequence, up to 37,550 Norwegians might have been affected.

This new information led the NCC to file a complaint on Facebook to the DPA. Nine sister consumer organisations in The Netherlands, Belgium, Spain, Portugal, Italy, and Greece have done the same.

In their letter to the DPA, the NCC writes:

– Based on news reports, it is clear from our perspective that there has been a breach of European data protection rules.

– It appears as if Facebook has not adequately protected its users’ data, and not taken all the necessary measures to amend the situation once it came to its knowledge in 2015.

Director of digital services at The Norwegian Consumer Council Finn Myrstad tells NRKbeta that one «now needs an independent evaluation from national authorities» on how Facebook is handling the personal information of Norwegians and other Europeans.

Facebook is launching new guidelines

In several interviews and press releases, Facebook has informed how they will tighten their practices in handling personal and sensitive data. Third party apps will for instance get access to less personal data on Facebook users, and Facebook promises to make it simpler to change its privacy settings.

Facebook will also remove the option to search for users by searching for phone numbers or email addresses.

In an interview with Vox, Facebook’s Mark Zuckerberg says they started investing more in security a year ago, and that it might take some years to solve the problems the company is facing.

The Norwegian Consumer Council: Problems known since 2010

On Monday Facebook will inform each single consumer whether they are affected, is that insufficient?

Defining whether consumers are getting the correct information cannot be left solely to Facebook, Myrstad says, and adds: «It is a company with a history of avoiding conversations about the difficult things. This will contribute to sending a strong signal that incidents of this kind will have consequences, and that one needs to give access to neutral actors like the DPA.

Myrstad is also pointing out that the issue has been known for years.

– The NCC reported the game company Zynga for exactly the same issue in 2010. One could really ask oneself which other apps have been harvesting similar data. This has been the practice from 2010 to 2015. Until recently, harvesting data from the platform has also been possible, though to a slightly more limited extent.

Through their Norwegian press service Facebook have pointed to two earlier responses from CEO Mark Zuckerberg. First from Zuckerbergs Facebook post dated 21. march:

– First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity. We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well.

The second quote is from a Q&A with journalists dated 4. april:

– We have to ensure that all of those developers protect people’s information too. It’s not enough to have rules requiring they protect information, it’s not enough to believe them when they tell us they’re protecting information — we actually have to ensure that everyone in our ecosystem protects people’s information.»

The Norwegian complaint is based on a letter sent on behalf of 43 consumer organisations in 31 European countries to the «Article 29 Working Party» in the EU, a privacy group.

After what has come to light the last few days, several organisations felt they had to contact national authorities directly.

This is the Norwegian letter in full (in Norwegian)

Here is the European letter it is based on (in English)