The world’s top information and privacy regulators including those from the US and EU have signed a joint statement voicing concerns about consumers’ privacy and Facebook’s Libra currency project.
Seven information and privacy regulators have criticised Facebook’s record on data or what they term ‘previous episodes’ as part of the warning about Libra and its associated projects.
In a joint statement, the regulators say: “As representatives of the global community of data protection and privacy enforcement authorities, collectively responsible for promoting the privacy of many millions of people around the world, we are joining together to express our shared concerns about the privacy risks posed by the Libra digital currency and infrastructure.”
They also raise specific concerns about the interaction of Libra and Facebook’s already enormous store of information.
“These risks are not limited to financial privacy, since the involvement of Facebook Inc., and its expansive categories of data collection on hundreds of millions of users, raises additional concerns. Data protection authorities will also work closely with other regulators.”
The regulators specifically say they are concerned about the Libra Network comprising the non-profit Libra Association – the group of 28 firms involved in the Libra project including PayPal, MasterCard, Ebay and Visa – and Calibra, the Facebook subsidiary, set up to provide the future Libra digital wallet. They are also worried about Libra’s use of and impact on jurisdictions with less sophisticated data privacy regulatory regimes.
Regulators want specifics on privacy
The statement continues: “To date, while Facebook and Calibra have made broad public statements about privacy, they have failed to specifically address the information handling practices that will be in place to secure and protect personal information.
“Additionally, given the current plans for a rapid implementation of Libra and Calibra, we are surprised and concerned that this further detail is not yet available. The involvement of Facebook Inc. as a founding member of the Libra Association has the potential to drive rapid uptake by consumers around the world including in countries which may not yet have data protection laws in place.
“Once the Libra Network goes live, it may instantly become the custodian of millions of people’s personal information.”
The regulators pose six questions and some subsidiary questions below
1. How can global data protection and privacy enforcement authorities be confident that the Libra Network has robust measures to protect the personal information of network users? In particular, how will the Libra Network ensure that its participants will:
a. provide clear information about how personal information will be used (including the use of profiling and algorithms, and the sharing of personal information between members of the Libra Network and any third parties) to allow users to provide specific and informed consent where appropriate
b. create privacy-protective default settings that do not use nudge techniques or “dark patterns” to encourage people to share personal data with third parties or weaken their privacy protections
c. ensure that privacy control settings are prominent and easy to use; d. collect and process only the minimum amount of personal information necessary to achieve the identified purpose of the product or service, and ensure the lawfulness of the processing
e. ensure that all personal data is adequately protected
f. give people simple procedures for exercising their privacy rights, including deleting their accounts, and honouring their requests in a timely way.
2. How will the Libra Network incorporate privacy by design principles in the development of its infrastructure?
3. How will the Libra Association ensure that all processors of data within the Libra Network are identified, and are compliant with their respective data protection obligations?
4. How does the Libra Network plan to undertake data protection impact assessments, and how will the Libra Network ensure these assessments are considered on an ongoing basis?
5. How will the Libra Network ensure that its data protection and privacy policies, standards and controls apply consistently across the Libra Network’s operations in all jurisdictions?
6. Where data is shared amongst Libra Network members:
a. what data elements will be involved?
b. to what extent will it be de-identified, and what method will be used to achieve de-identification?
c. how will Libra Network ensure that data is not re-identified, including by use of enforceable contractual commitments with those with whom data is shared.
The full list of concerned regulators is Angelene Falk, Australian Information and Privacy Commissioner, Daniel Therrien, Privacy Commissioner Canada, Marguerite Ouedraogo Bonane, President of the Commission for Information Technology and Civil Liberties, Burkina Faso, Giovanni Buttarelli, European Data Protection Supervisor, EU, Elizabeth Denham, UK Information Commissioner, Rohit Chopra, Commissioner of the Federal Trade Commission USA, and Besnik Dervishi Information and Data Protection Commissioner for Albania.