Facebook’s privacy policy violates European law, according to a study commissioned by the Belgian privacy commission, and released today, The Guardian reports.

Conducted by the Centre of Interdisciplinary Law and ICT at the University of Leuven, the report says the social network’s updated policies, which came into effect last month, only expanded previous policy and practices, and violate European consumer protection law.

The authors argue that Facebook’s policies on profiling for third-party advertising do not “meet the requirements for legally valid consent” and that it “fails to offer adequate control mechanisms” to prevent user-generated content being used for commercial purposes.

The report says: “Facebook places too much burden on its users. [They] are expected to navigate Facebook’s complex web of settings in search of possible opt-outs. Facebook’s default settings related to behavioural profiling or Social Ads, for example are particularly problematic.”

It goes on to note that there is no way to stop the social network from collecting your location information via its smartphone apps other than switching off location access at the OS level.

No choice

The authors write: “Users are offered no choice whatsoever with regard to their appearance in ‘sponsored stories’ or the sharing of location data.” They also say that Facebook does not provide “adequate information” to allow users to make informed choices when options are available.

The report concludes that the collection and use of information described in Facebook’s policies does not comply with Article 5(3) of the EU e-Privacy Directive, which requires informed prior consent before storing or accessing information of your device.

Facebook is reported to have met with Belgian privacy minister, Bart Tommelein, to discuss the report and argued that its policy does not break Belgian data protection laws.

The company is also under investigation by the Dutch data protection authority as well as being subject to a probe by the Article 29 working party, which is comprised of data regulators from across Europe, including the UK’s Information Commissioner.

Late last year, the UK parliament’s Science and Technology Committee argued that social media sites should be required to drastically simplify their terms and conditions.

We’ve contacted Facebook for a comment on the report and will update this story if it has anything public to say on the matter.

Update: Facebook sent us the following statement:

“We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising. We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates ­ including this one ­ with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.”

TNW understands that Facebook was recently subject to two audits of its data protection policies by the Irish Data Protection Commissioner (IDPC) and found to be in compliance with EU law. We’ve contacted the IDPC for further details on the auditing process.

Update 2: The IDPC says it conducted its last audit of Facebook’s data protection policies in 2012. You can read it here.

➤ From social media service to advertising network [PDF via The Guardian]

Read next: Google launches YouTube Kids on Android and iOS