Data Protection Report - Norton Rose Fulbright

On 18 June 2019, Facebook announced plans to launch a new blockchain enabled cryptocurrency called Libra.

In early August 2019, the UK’s Information Commissioner’s Office (the ICO) joined other data protection authorities from around the world (from Europe, the Americas, Africa and Australasia) in publishing a statement to Facebook and the 28 other companies behind the Libra project asking for details as to how personal data will be processed in connection with the Libra project in compliance with data protection laws (the Statement).

The Statement

The Statement:

  • highlights Facebook’s previous mishandling of personal data and expresses concern about the lack of information published to date about the data handling practices that will be put in place to secure and protect personal data; and
  • notes that the privacy risks associated with Libra are particularly acute due to the involvement of Facebook and its “expansive categories of data collection on hundreds of millions of users”.

The data protection authorities are therefore seeking clarification from Facebook and the other companies involved as to how they plan to protect personal data across all jurisdictions, and how they will ensure that privacy is incorporated into the design of the Libra infrastructure. Among other things, the  data protection authorities want assurances as to:

  • how the  Libra network will ensure its participants provide clear information about how personal data will be used, ensure that privacy control settings are prominent and easy to use, and that they collect and process the minimum amount of personal information necessary;
  • how the Libra network will ensure that processors of data within the Libra network are identified and comply with their respective data protection obligations;
  • how the Libra network plans to undertake data protection impact assessments;
  • how the Libra network will ensure consistency in the implementation of its data protection and privacy policies, standards and controls across different jurisdictions; and
  • where and how personal data is to be shared among Libra network members.

There is no stipulated date by which Facebook must respond to the questions set out in the Statement. Libra cryptocurrency is set to be released sometime in 2020, but with a large number of regulators still not comfortable with numerous aspects, this target may prove to be an optimistic one.

Our take

The Statement:

  • demonstrates the ongoing regulatory scrutiny that organisations may face in light of prior data protection failings;
  • looks back to Facebook’s previous mishandling of personal data, and makes clear that broad public statements about privacy are not enough – what is required is a specific consideration of information handling practices and compliance with personal data requirements; and
  • makes no reference to the frequently discussed potential challenges in reconciling key features of blockchain technology with some of the requirements under European data protection law. This may be because of the global nature of the Statement and its authors. However, it will be interesting to see how Facebook handles these challenges when responding to the questions raised in the Statement and when designing the platform.

While projects involving new technology have the potential to offer benefits to data subjects such as consumers, organisations must be mindful of the fact that the data protection authorities expect privacy implications to be considered as a fundamental aspect of the project design – and the Statement underscores this.