36 ARTICLE
The business of personal data: Google,
Facebook, and privacy issues in the EU
and the USA
Asunci
on Esteve*
Key Points
 This article analyses how Google and Facebook
gather and organize their users’ personal data in
order to exploit them for advertising. This analy-
sis is given from the perspective of European
Union (EU) privacy protection with attention
also given to USA law.
 The article starts with a short description of the
techniques employed by Google and Facebook to
collect and monetize their users’ personal data.
 The central part of this article examines the main
privacy issues that arise through the use of per-
sonal data by Google and Facebook, such as the
lack of valid consent given by their users, the in-
sufficient access and control given to users over
their personal information, and the risk of re-
identification of anonymous personal data.
Special reference is made to Google and
Facebook’s privacy policies and the confusing in-
formation that they provide about the use of per-
sonal data.
 This article compares the different approaches of
the EU and USA regarding privacy protection
and describes the challenges that new technology
development poses to the legislature regarding
the protection of privacy.
* Asuncion Esteve, Professor of Law (Profesora Agregada), Department of
Civil Law, Faculty of Law, University of Barcelona, Barcelona, Spain. The
author would like to thank Ricard Martınez for his helpful comments.
1 See ‘Personal Data: The Emergence of a New Asset Class’ World
Economic Forum, January 2011 <http://www.weforum.org/reports/per
sonal-data-emergence-new-asset-class> accessed 26 January 2017.
C The Author 2017. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com
V
International Data Privacy Law, 2017, Vol. 7, No.
The business of personal data: Google,
Facebook, and privacy issues in the USA
and Europe
Personal data has become a new source of economic
value. Once processed and classified they provide rele-
vant information for companies about people’s interests
and activities, which is extremely useful for advertising.
Some of the largest Internet companies, such as Google,
Facebook, and Twitter, are built on the economics of
personal data. Their activities in this area show the im-
portance of collecting, aggregating, analysing, and mon-
etizing personal data.1
Although making a profit from personal data may be
seen as an intrusion on individuals’ privacy,2 there is no
legal reason to prevent a business model from develop-
ing just because it is based on processing personal infor-
mation. There are, of course, very strict privacy
limitations to such business models that may diminish
their revenue. The question is what privacy law protects
and what it forbids others to do, especially in the case of
online companies that can easily collect their users’ data
in order to make a profit from advertising.
Google and Facebook stand out in this context, as they
are among the most popular sites on the Web.3 Google is
the largest Internet search engine and Facebook is the big-
gest social network in the world. If one considers the
amount of personal information that both companies
gather and the way they organize all their data, the result
is that they have the largest databases of personal
2 See N Helberger and others, Digital Consumers and the Law. Towards a
Cohesive European Framework (Kluwer Law International, The
Netherlands 2012) 162–3.
3 According to <www.alexa.com> accessed 26 January 2017, a web site
that provides visitors data information on 30 million websites.
 on Esteve
Google, Facebook, and privacy issues
Asunci
information in the world, which they share with others
for marketing purposes. How ever, some of Google and
Facebook’s practices—like the tracking of users’ behav-
iour—have been the subject of severe criticism by US
and European scholars4 and both companies have dealt
with numerous controversies regarding privacy in recent
years. Additionally, Google and Facebook have expanded
their business from the USA into Europe. They have
subsidiaries in Member States that process users’ data ac-
cording to their privacy policies which were adopted un-
der US law,5 but are subject to the European privacy
legislation. As a matter of fact, the Court of Justice of the
European Union (CJEU) in the Google Spain judgment
on the so-called ‘right to be forgotten’ ruled that the
European Union (EU) Data Protection Directive is appli-
cable to the activities of Google’s subsidiaries in Member
States. The same criteria could be applied to Facebook’s
subsidiaries in Member States.6 Therefore, Google and
Facebook’s processing of personal data is ruled by the na-
tional legislation of those EU Member States where
Google and Facebook have set up a branch or subsidiary.
As EU privacy legislation applies to the processing of
data by some US companies in Europe, the differences be-
tween both privacy legal systems become more visible. In
Europe, the protection of personal data—as a specific
right—was for the first time guaranteed by the ‘Convention
for the Protection of Individuals with regard to Automatic
Processing of Personal Data’ that was adopted by the
Council of Europe in 1981.7 Moreover, in 1995 the EU
adopted the Data Protection Directive [EU Directive]8 that
protects personal data on the same level as that of funda-
mental rights, as privacy is considered to be a human right
across Europe.9 In the USA, by contrast, there is no such
‘right to data protection’ comparable to the one recognized
in Europe. The USA uses a sectoral approach to privacy
that relies on a mixture of legislation, regulation, and self-
regulation, and it lacks a comprehensive framework on per-
sonal data such as the one provided by the EU Directive.
4 See IS Rubinstein and N Good, ‘Privacy by Design: a Counterfactual
Analysis of Google and Facebook Privacy Incidents’ (2013) 28 Berkeley
Technology Law Journal 1333, 1409–11; J Rosen, ‘The Deciders: The
Future of Privacy and Free Speech in the Age of Facebook and Google’
(2011–12) 80 Fordham Law Review 1525, 1535; Helberger and others
(n 2) 162–64; R Wong, ‘Social Networking: A Conceptual Analysis of
Data Controller’ (2009) 14 Communications Law 142, 143; AB Munir
and TY Teh, ‘Googling Data Protection, Don’t be Evil’ (2008) 14
Computer and Telecommunications Law Review 183, 190.
5 Google and Facebook’s privacy policies were originally set out in the
USA in order to comply with US law.
6 Case C–131/12 Google Spain v AEPD and Mario Costeja Gonzalez,
Judgment of the Court (Grand Chamber) 13 May 2014, paras 55–60.
7 Convention 108. Strasbourg, 28.I.1981.
8 Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the pro-
cessing of personal data and on the free movement of such data.
ARTICLE 37
In fact, the recent CJEU judgment regarding the trans-
fer of personal data controlled by Facebook Ireland in the
EU to servers belonging to Facebook Inc., located in the
USA, has highlighted the clash of these two privacy cul-
tures. Under Article 25 of the EU Directive, data transfers
to third countries are prohibited unless such countries
provide ‘an adequate level of data protection’. The judg-
ment declared that the US privacy legislation did not pro-
vide an adequate level of data protection.10 According to
this judgment, the US legislation permitting public au-
thorities to have access on a generalized basis to personal
data transferred from Europe compromised the essence
of the fundamental right to respect private life. For this
reason, the European Commission and the US
Department of Commerce have recently agreed on a new
framework for transatlantic personal data flows.11
Therefore, US Internet companies like Microsoft,
Yahoo, Apple, Google, and Facebook that process large
volumes of personal data in their subsidiaries in Europe
must comply with EU data protection legislation, but
they are also subject to US privacy law.
This article will focus on Google and Facebook’s prac-
tices of data processing as a point of reference to analyse
the process of monetizing users’ personal data by Internet
companies from the perspective of EU data protection leg-
islation and US privacy legislation. This dual perspective
will allow the comparison of both legal systems with re-
gard to privacy restrictions on new business models based
on the processing of personal data and to evaluate their
adequacy in the new technological environment.
Google and Facebook’s practices of
processing data for advertising
Google and Facebook’s privacy policies explain the per-
sonal information they collect and how they use the in-
formation.12 However, privacy policies are not meant to
9 European constitutional law has recognized privacy as a fundamental
right in instruments ranging from the 1950 Convention for the
Protection of Human Rights to the 2000 Charter of Fundamental Rights
of the European Union.
10 Case C–362/14 Maximillian Schrems v Data Protection Commissioner,
Judgment of the Court (Grand Chamber) 6 October 2015, paras 28, 95–98.
11 The ‘EU-US Privacy Shield’ was adopted on 2 February 2016. See
European Commission - Press release, ‘EU Commission and United
States Agree on New Framework for Transatlantic Data Flows: EU-US
Privacy Shield’, <http://europa.eu/rapid/ press-release_IP-16-216_en.
htm> accessed 26 January 2017.
12 See Google privacy policy available at <http://www.google.com/intl/en/
policies/privacy/> accessed 26 January 2017; (Last modified 29 August
2016) and Facebook data policy available at <https://www.facebook.
com/policy.php> accessed 26 January 2017; (Date of Last Revision 29
September 2016).
38 ARTICLE
be a thorough and rigorous description of website prac-
tices of processing and sharing their customers’ personal
information. As a matter of fact, privacy policies origi-
nated in the USA and they play different roles in rela-
tion to the legal obligations of companies processing
information about individuals in US and European law.
The role of privacy policies
In the USA, privacy policies have expanded rapidly on
commercial websites as fair practice to notify users about
the collection and use of their personal information but
no US law regulates the substance of privacy policies.13 In
the late 1990s, the US Federal Trade Commission ad-
vanced a set of Fair Information Practices Principles that
mandate a certain level of personal data security on web-
sites such as ‘Notice’ (disclosure of their use of personal
information), ‘Choice’ (individual’s consent), ‘Access’,
and ‘Data security’. The Federal Trade Commission also
encouraged the industry to address consumer concerns
regarding online privacy through self-regulation.14
Therefore, privacy policies have largely been a voluntary
measure by online companies to promote their privacy
practices and an attempt at self-regulation in order to
convince policymakers that no additional regulation was
needed.15 The result of this is that websites located in
USA can be held liable for failing to notify customers of
their practice of sharing personal information, but if they
comply with the disclosure requirement, they are free to
state in their privacy policies that they will treat a visitor’s
personal information virtually any way they wish.16 The
Federal Trade Commission can bring an action against a
company for breaching a promise in its privacy policy
and, even more broadly, for any deceptive or unfair act or
practice.17 But the Federal Trade Commission has little
power to control privacy policies themselves, as no federal
nor state law regulates and determines the legitimate
13 AW Haynes, ‘Online Privacy Policies: Contracting Away Control Over
Personal Information’ (2006–07) 111 Penn State Law Review 587, 597.
14 See Federal Trade Commission, ‘Privacy-Online: Fair Information Practices
in the Electronic Marketplace’ A Report to Congress, May 2000, 42
<https://www.ftc.gov/reports/privacy-online-fair-information-practices-elec
tronic-marketplace-federal-trade-commission> accessed 26 January 2017.
15 DJ Solove and W Hartzog, ‘The FTC and the New Common Law of
Privacy’ (2014) 114 Columbia Law Review 583, 593–4.
16 J Turlow, ‘American Online Privacy: The System is Broken’ A Report
from the Annenberg Public Policy Center of the University of
Pennsylvania 5 (2003) 5.
17 S 5 of Federal Trade Commission Act prohibits ‘unfair or deceptive acts
or practices in or affecting commerce’.
18 Solove and Hartzog (n 15) 583, 587–88.
19 Haynes (n 13) 587, 603–04.
20 See Federal Trade Commission Enforcement action against Google
Inc, 20 November 2012, Complaint Google Inc, FTC File 1023136 No C-
4336 available at <https://www.ftc.gov/enforcement/cases-proceedings/
google-inc> accessed 26 January 2017.
International Data Privacy Law, 2017, Vol. 7, No. 1
forms of data collection in use by companies such as
Facebook or Google.18 Due to this, the Federal Trade
Commission has brought actions against Web companies
who have violated the terms of their own privacy poli-
cies.19 For example, Google has been fined by the Federal
Trade Commission for the use of advertising tracking
cookies on the computers of Safari users who visited sites
within Google’s DoubleClick advertising network, be-
cause Google had previously told these users they would
be automatically opted out of such tracking.20
The situation is quite different in Europe. The EU
Directive has established a set of rules that control the use
of personal information by websites, regardless of what
their privacy policies say. According to EU law, privacy
policies must comply with the privacy standards of the EU
Directive.21 Granting rights to the company in the privacy
policy which would adversely affect the user’s privacy rights
granted in the EU Directive should be avoided, since such
clauses will be found void, may invalidate the entire privacy
policy, and could even be the subject of a complaint or
class action.22 Therefore, both privacy policies and the real
practices of Facebook and Google are constrained by the
EU Directive, the rules of which are mandatory for all
companies whose websites operate in the EU.
For this reason, in 2014 Facebook changed the terms
of its privacy policy to include new tracking systems for
gathering personal data by cookies and social plug-ins
(such as the ‘Like Button’), and several Data Protection
Authorities in Europe investigated the practices of the
company.23 Moreover, the Belgian Data Protection
Authority initiated summary proceedings against
Facebook, claiming that such privacy policies terms were
not compatible with Belgian privacy legislation and it
proved that the so-called ‘datr’ cookie in combination
with the ‘Like Button’ was used by Facebook to obtain
and process personal data of Internet users who did not
have a Facebook account.24 The Belgian Court declared
21 F Marotta-Wurgler, ‘Understanding Privacy Policies: Content, Self-
regulation and Market Forces’ NYU Law School, October 2015,
5 <http://www.law.uchicago.edu/files/file/marotta-wurgler_understand
ing_privacy_policies.pdf> accessed 26 January 2017.
22 C Kuner, European Data Privacy Law and Online Business (Oxford
University Press, Oxford 2003) 194.
23 See <https://iapp.org/news/a/contact-group-calls-for-facebook-datr-halt-
across-the-eu/> accessed 26 January 2017.
24 Judgment in summary proceedings of the President of the Dutch-
Speaking Court of First Instance of Brussel, Belgium, 9 November 2015
in the case of the President of the Belgian Data Protection Authority v
Facebook. When someone who was not a Facebook user visited a website
of the facebook.com domain, Facebook automatically placed a ‘datr’
cookie on that visitor’s hard disk that contained information identifying
an Internet user’s browser. When that Internet user visited a website with
a social plug-in button of Facebook, his browser was automatically con-
nected to the Facebook server and the information from Facebook’s
‘datr’ cookie, which was stored on the user’s hard disk, was sent to the
Facebook servers.
 on Esteve
Google, Facebook, and privacy issues
Asunci
the claim admissible and ordered Facebook to cease this
practice in respect of every Internet user on Belgian terri-
tory who has not registered as a Facebook member.25
For these aforementioned reasons, what Google and
Facebook describe in their privacy policies should not
be regarded as their actual data processing practices.
However, both companies disclose some relevant infor-
mation in their privacy policies about their practices of
collecting and sharing users’ personal information that
should be examined from the legal positions of both
Europe and US law.
Main sources of personal data collected by
Google and Facebook
Google and Facebook privacy polices state that they col-
lect personal data mainly to improve their services and
develop new ones. They make a distinction between the
information that users decide to give them (‘information
you give us’—Google or ‘information you provide’—
Facebook) and the information they systematically col-
lect from users when they use their services, without
them even noticing it (‘information we get from your use
of our services’—Google or ‘we also collect information
about how you use our services’—Facebook). The final
goal of both companies is to process and centralize all
the personal information from users.
In Facebook’s case, most personal information is vol-
untarily given by users when they sign up for Facebook,
when they create a profile, and when they communicate
with other Facebook users. But Facebook constantly en-
courages users to reveal information about other people
and has also tried to track non-users personal informa-
tion (for example, through the ‘Like Button’).
25 Judgment in summary proceedings of the President of the Dutch-
Speaking Court of First Instance of Brussel, Belgium, of 9 November
2015 in the case of the President of the Belgian Data Protection Authority v
Facebook.
26 Data contained in search-query logs includes terms used when searching,
web requests, IP address, and user browser information. See Google pri-
vacy policy/Information we collect/Information we get from your use of
our services/Log information.
27 See Facebook data policy/What kinds of information do we collect?/
Things you do and information you provide. See Google privacy policy/
Information we collect/Information we get from your use of our services/
Local storage.
28 Google privacy policy declares ‘We and our partners use various technol-
ogies to collect and store information when you visit a Google service,
and this may include sending one or more cookies or anonymous identi-
fiers to your device.’ See Google privacy policy/Information we collect/
Information we get from your use of our services/Cookies and similar
technologies. Facebook data policy on cookies states ‘We use cookies to
help us show ads for businesses and other organizations to people who
may be interested in the products, services or causes they promote.’ See
<https://www.facebook.com/help/cookies/update> accessed 26 January
2017.
29 Google explains ‘We collect device-specific information (such as your
hardware model, operating system version, unique device identifiers, and
ARTICLE 39
Google also collects personal information that users
voluntarily offer when, for example, they sign up to a
Google account or when they create a publicly visible
Google profile. But one of the Google’s main sources of
personal information is the ‘search query data’ that indi-
viduals enter when they search content provided by
Google and that allows Google to track automatically
users’ behaviour.
Google and Facebook explain in their privacy policies
that they automatically collect information from their
users and they describe their main sources of automati-
cally logged personal data. Such sources are the ‘search
query logs’ that allow Google to monitor and track
search queries of anyone who uses the services, even if
they have not registered or created a Google account,26
the ‘local storage’ of their users’ personal information,27
‘cookies’ that they send to trace their user’s browsing
history,28 and the ‘device’ and ‘location’ information
that they collect from users.29 Although Google and
Facebook inform their users that they will automatically
collect all these data from them, the users remain uncer-
tain as to what specific personal data are being
tracked.30
The secret of the success: contextual and
personalized advertising
Google and Facebook process and combine all the per-
sonal data they collect from users. Their privacy policies
mention how they combine users’ personal data and
eventually relate them with marketing processes.31
Google and Facebook process and classify personal data
in such a way that they offer companies the most
mobile network information including phone number).’ Google privacy
policy/Information we collect/Information we get from your use of our
services/Device information. Facebook explains ‘We collect information
from or about the computers, phones, or other devices where you install
or access our Services, depending on the permissions you’ve granted.’
Facebook data policy/What kinds of information we collect/Device
information.
30 KP McLaughlin, ‘Sharing You with You: Informational Privacy, Google
& The Limits of Use Limitation’ (2012–13) 23 Albany Law Journal of
Science and Technology 55, 76–77; O Tene, ‘What Google Knows:
Privacy and Internet Search Engines’ (2008) 4 Utah Law Review 1433,
1438.
31 Google declares ‘Our automated systems analyse your content (including
emails) to provide you personally relevant product features, such as cus-
tomised search results, tailored advertising, and spam and malware detec-
tion’, see Google privacy policy/How we use the information we collect.
Facebook explains ‘To decide which ads to show you, we use: informa-
tion you share on Facebook, other information about you from your
Facebook account, information advertisers and our marketing partners
share with us that they already have, like your email address, your activity
on websites and apps off of Facebook’, see Facebook Help Center, Ad
preferences.
40 ARTICLE
efficient tools for advertising, that is, contextual and
remarketing advertising.
Contextual advertising refers to the placement of
commercial ads within the content of a web page.32
Contextual advertising systems automatically match the
topic of a web page with elements of an ad—such as
text and images—and there is usually a commercial in-
termediary between web publishers and advertisers,
called an advertising network, in charge of optimizing
the ad selection. All major search engines (Google,
Yahoo, and Microsoft) provide ad-networking services;
they have databases of millions of ads, which need to be
matched to each of the web pages in stream of
contextual-match requests.33 Such a technique provides
great potential for advertisers, as users spend most of
their time on the web on content pages, as opposed to
search engine result pages. The advertiser pays a certain
amount for every click on the ad, and the revenue is
shared between the publisher and the ad-network.34
Remarketing advertising shows users ads for products
they have previously viewed. Google offers remarketing
services to let companies target their ads to people who
have visited their pages and to encourage them to return
and complete the purchase.35 Remarketing techniques are
an example of behavioural advertising, which involves
monitoring people’s online behaviour and using the in-
formation gathered to show people individually targeted
advertisements.36 It is important to mention that remar-
keting techniques are based on users’ IP address. The ads
are selected and served by automated systems based on
the identity of users and the content displayed.
For many US commenters, representing both industry
and consumer groups, contextual advertising differs from
behaviourally targeted advertising because it is based only
on the content of a particular website or search query,
rather than on information about the consumer collected
32 A Broder and others, ‘A Semantic Approach to Contextual Advertising’
Proceedings SIGIR (2007) 559, 559. As Google explains ‘sometimes the
ad you see is based on the context of a page, if you’re looking at a page of
gardening tips, you might see ads for gardening equipment’, see Google
privacy policy, Advertising, What determines the ads by Google that I
see? <http://www.google.com/intl/en/policies/technologies/ads/>
accessed 26 January 2017.
33 M Ciaramita, V Murdoch and V Plachouras, ‘Semantic Associations for
Contextual Advertising’ (2008) 9 Journal of Electronic Commerce
Research 1, 6.
34 Google achieves contextual advertising by using technologies like
AdSense (available at <http://www.google.com/adsense/start/, accessed
26 January 2017>), and a range of DoubleClick-branded services ‘to help
our partners manage their advertising and websites’. DoubleClick is an
online ad serving company that Google bought in 2007. See B Weller and
L Calcott, The Definitive Guide to Google Adwords. Create Versatile and
Powerful Marketing and Advertising Campaigns (Apress, New York 2012)
16.
35 Google gives the following example of remarketing: ‘Suppose you visit a
website that sells golf clubs, but you don’t buy those clubs on your first
visit. The website owner might want to encourage you to return and
International Data Privacy Law, 2017, Vol. 7, No. 1
over time.37 But in fact, when search engines display con-
textual advertising, the content is not only derived from
the user’s search keywords but also from previous search
queries of the user’s IP address. For this reason, according
to the European advisory body on data protection and pri-
vacy (the so-called ‘Article 29 Working Party’), contextual
advertising is also a method of behavioural advertising.38
Contextual and remarketing advertising are Google
and Facebook’s core business. Both companies constantly
track certain information about their individual users in
order to tailor advertisements and then charge the adver-
tising companies a rate per advertisement posted.39
Privacy issues regarding processing of
personal data by Google and Facebook
from the US and EU perspectives
Google and Facebook have both experienced serious pri-
vacy incidents in the US and Europe, which has led to
lawsuits and government scrutiny from the US Federal
Trade Commission and the European Commission. The
main privacy issues that raise controversy regarding
Google and Facebook’s practices are very similar in USA
and Europe, the most relevant being:
 Lack of or inadequate consent from Google and
Facebook users for the procedure of obtaining and
sharing their personal data
 Insufficient user’s access and control of their personal
information.
 Risk of re-identifying anonymous personal data.
These issues will be analysed from the US and the EU’s per-
spective to show their different approaches and effective-
ness. While the European Directive imposes a set of rules
on websites and constrains almost any use of ‘personal
complete your purchase.’ Google Privacy & Terms, Advertising/Why I
am seeing ads by Google for products I’ve viewed? <http://www.google.
com/intl/en/policies/technologies/ads/> accessed 26 January 2017.
36 FJ Zuiderveen Borgesius ‘Personal Data Processing for Behavioural
Targeting: Which Legal Basis’ (2015) 5 International Data Privacy Law
163, 164.
37 See ‘Self-Regulatory Principles for Online Behavioural Advertising’
Report of the Federal Trade Commission, February 2009, 29–30. The
Federal Trade Commission has defined contextual advertising narrowly,
and it considers that where a practice involves the collection and reten-
tion of consumer data for future purposes beyond the immediate delivery
of an ad or search result, the practice does not constitute contextual
advertising.
38 See Article 29 Working Party, ‘Opinion 2/2010 on Online Behavioural
Advertising’, June 2010, 4 <http://ec.europa.eu/justice/policies/privacy/
docs/wpdocs/2010/wp171_en.pdf> accessed 26 January 2017.
39 See for Google, J Schinasi, ‘Practicing Privacy Online: Examining Data
Protection Regulations through Google’s Global Expansion’ (2014) 52
Columbia Journal of Transnational Law 569, 574.
 on Esteve
Google, Facebook, and privacy issues
Asunci
data’ without the subject’s consent, the US legal system is
not structured by such comprehensive rules and seems
more flexible as it is based on a diffused right to privacy
rather than on specific regulation for activities concerning
data processing.
Privacy law in the USA has developed in a fragmented
fashion and is currently a hodgepodge of various constitu-
tional protections, federal and state statutes, torts, regula-
tory rules, and treaties.40 Privacy regulations can be found
in different US sectoral laws like the Fourth
Amendment,41 the First Amendment,42 the Fair Credit
Reporting Act of 1970,43 the Privacy Act of 1974,44 the
Electronic Communications Privacy Act45 of 1986, the
Health Insurance Portability and Accountability Act of
1996,46 the Children’s Online Privacy Protection Act of
1998,47 non-federal laws and privacy official guidelines
such as the Fair Information Practices Principles (FIPPs),
and the OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data.48 In 2012 the
White House presented the Consumer Privacy Bill of
Rights to provide more consistent protection to consumer
data privacy, but it has not been enacted through legisla-
tion yet.49 That makes the US legislative framework on
privacy and personal data more complex and difficult to
understand, especially for European scholars who consider
personal data to be an essential part of the right of privacy
and believe that the US legislation on privacy provides a
fragmented and weak protection for personal data.
However, both systems provide legal mechanisms to
ensure personal data protection, although they do it in
different ways and to different standards.
40 Solove and Hartzog (n 15) 583, 587.
41 US Constitution, Amendment IV.
42 US Constitution, Amendment I.
43 15 USC s 1681ff. The FCRA’s provisions are ss 601–29 of the Consumer
Credit Protection Act and are commonly cited by those section numbers.
44 Pub L No 93–579 (5 USC s 552a).
45 18 USC s 2510ff.
46 Pub. L No 104–91, 110 Stat 1936.
47 Pub L 105–277, Division C, Title XIII (codified at 15 USC ss 6501–06).
48 See Organisation for Economic Cooperation and Development
Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data (23 September 1980) <http://www.oecd.org/sti/ieconomy/
2013-oecd-privacy-guidelines.pdf> accessed 26 January 2017.
49 See The Executive Office of the President, Consumer Data Privacy in a
Networked World: a Framework for Protecting Privacy and Promoting
Innovation in the Global Digital Economy (2012) <https://epic.org/privacy/
white_house_consumer_privacy_.html#docs> accessed 26 January 2017.
50 See ‘Unlocking the Value of Personal Data’ World Economic Forum,
February 2013, 11 <http://www.weforum.org/reports/unlocking-value-
personal-data-collection-usage> accessed 26 January 2017.
51 AM Mac Donald and LF Cranor, ‘The Cost of Reading Privacy Polices’
(2008) 4 Journal of Law and Policy for the Information Society 543, 544.
The authors conducted a study of 212 participants to measure time to
skim online privacy policies and respond to simple comprehension ques-
tions. They estimated that reading privacy policies carries approximately
201 hours a year per user, 565.
ARTICLE 41
Lack of or inadequate consent from users
‘It would take the average person about 250 working
hours every year or about 30 full working days to actually
read the privacy policies of the websites they visit in a
year’.50 This statement highlights one of the basic reasons
that may invalidate Google and Facebook users’ consent,
namely, the lack of informed consent. Studies show how
privacy policies are hard to read, are read infrequently,
and do not support rational decision-making.51
Google and Facebook impose on their users an agree-
ment regarding the use of their personal data. The
clauses and conditions of these agreements are ex-
pressed in their privacy policies but their large extension
as well as their complexity makes them difficult to un-
derstand to the average user.52 Furthermore, some of
their privacy policies clauses’ are vague and confusing.53
As a matter of fact, Google and Facebook users accept
privacy policies because they have to. Not using Google
means not participating in today’s information society
and for many people not joining Facebook is a sign of
social isolation and places you out of touch with the real
world. Most of them neither read nor understood the
average privacy policy or terms used, but even assuming
they did, it would still be impossible to understand the
motives of third parties.54 Moreover, consent cannot be
construed for anonymous/unregistered users of Google
who have not chosen to authenticate themselves volun-
tarily.55 The lack of users’ consent also takes place when
Google and Facebook change their privacy practices
without obtaining new approval from the user.56 The
Federal Trade Commission (FTC) has required Google
52 For example, Google and Facebook’s privacy policy give explanations on
cookies and advertising techniques that require some technical knowl-
edge that most people lack. Google explains: ‘Our Google Analytics prod-
uct helps businesses and site owners analyse the traffic to their websites
and apps. When used in conjunction with our advertising services, such
as those using the DoubleClick cookie, Google Analytics information is
linked, by the Google Analytics customer or by Google, using Google
technology, with information about visits to multiple sites.’ See Google
privacy policy/Information we collect/ Cookies and similar technologies.
53 For example, Facebook explains: ‘We receive information about you and
your activities on and off Facebook from third-party partners, such as infor-
mation from a partner when we jointly offer services or from an advertiser
about your experiences or interactions with them.’ See Facebook Data Policy/
What kinds of information do we collect/Information from third-party
partners.
54 J Jerome, ‘Big Data: Catalyst for a Privacy Conversation’ (2014–15) 48
Indiana Law Review 213, 230.
55 P Burgstaller, ‘Search Engines and the Extra-territorial Dimension of the
EC Data Protection Law’ (2009) 15 Computer and Telecommunications
Law Review 104, 110.
56 In fact, after changing its privacy policy in January 2012, Google was
asked by the French data protection authority (CNIL) to provide the ex-
act number of unique visitors on the Google privacy policy in order to
assess its effectiveness, but the company refused and stressed many means
used for communication between Google and its users. See A Gniewek,
‘Google Privacy Policy – In Breach of EU Law?’ (2013) 7 Masaryk
University Journal of Law and Technology 319, 322.
42 ARTICLE
and Facebook to obtain consumers’ affirmative express
consent before materially changing some of their data
practices and to adopt strong, company-wide privacy
programs that outside auditors would assess.57 In Re
Facebook Inc, in addition to alleging deceptive promises
of privacy inherent in Facebook’s privacy settings, the
FTC argued that Facebook failed to properly notify users
of privacy-related changes in the website.58
According to Article 7 of the EU Directive, personal
data may be processed only if the data subject has un-
ambiguously given his consent. It is also important to
mention that Article 10 of the EU Directive establishes
that a personal data controller must inform the ‘data
subject’ about the purposes of the processing for which
the data are intended.59 Informed consent lies at the
heart of the right to data protection.60
Therefore, it is submitted that according to EU
Directive most of Google and Facebook users do not
give informed consent to these companies regarding the
use of their personal data and therefore, most of the
users’ consent is not unambiguously given.
US scholars also believe that Google and Facebook’s
consent must be informed and freely given. They crit-
icize the fact that users do not convey personally identifi-
able information because they have chosen to do so after
careful deliberation and cost–benefit analysis.61 Some of
them believe that Facebook’s privacy policy shows that
the informed-choice model is completely unrealistic:
‘Facebook users don’t read it, don’t understand it, don’t
rely on it, and certainly aren’t protected by it’.62
For some US scholars, the solution may be found in
contract law. Customers have challenged the enforce-
ability of browse-wrap agreements, based on insufficient
notice, lack of consent, or unconscionable terms.63
However, US courts have dismissed most contract
claims for privacy policy violations as privacy policies
are not deemed contractual in nature64. Although web-
sites often have a ‘terms of use’ page containing contrac-
tual language, their binding nature has not always been
recognized by the courts.65 Moreover, their privacy
57 See ‘Protecting Consumer Privacy in an Era of Rapid Change’ Federal
Trade Commission Report, March 2012, 8 <https://www.ftc.gov/reports/
protecting-consumer-privacy-era-rapid-change-recommendations-busi
nesses-policymakers> accessed 26 January 2017.
58 See FTC Complaint Re Facebook Inc, FTC File 0923184 No C-4365 avail-
able at <https://www.ftc.gov/enforcement/cases-proceedings/092-3184/
facebook-inc> accessed 26 January 2017.
59 Art 2 of EU Directive defines data subject’s consent as: ‘any freely given
specific and informed indication of his wishes by which the data subject
signifies his agreement to personal data relating to him being processed’.
60 Helberger and others (n 2) 163.
61 Tene (n 30) 1433, 1469–70.
62 J. Grimmelmann, ‘Saving Facebook’ (2009) 94 Iowa Law Review
1137, 1181.
63 See Tene (n 30) 1433, 1469.
International Data Privacy Law, 2017, Vol. 7, No. 1
polices exist as special web page of the site, devoted
exclusively to privacy. In fact, US privacy polices pro-
vided in offline contexts are considered to be separate
documents from other disclosures and contractual
terms.66
But, there is no specific US legislation on consent re-
garding personal data processing. The purpose specifi-
cation principle, so deeply ingrained in EU law is not at
all evident in the American regulation.67 However, con-
sent is also considered to be the key issue regarding the
use of personal information in USA. It has been pointed
out that US privacy self-management ‘takes refuge in
consent as consent legitimates nearly all forms of collec-
tion, use or disclosure of personal data’.68 The Fair
Information Practice Principles of ‘Notice’, ‘Choice’,
‘Access’, and ‘Security’ are also based on individual con-
sent, especially the ‘Notice’ and ‘Choice’ Principles.
The Federal Trade Commission requires commercial
websites to provide consumers with clear and conspicu-
ous ‘Notice’ of their information practices and to offer
consumers ‘Choices’ as to how their personal identify-
ing information is used beyond the use for which the
information was provided.69 However, the implementa-
tion of these principles is not regulated by US law and
there are no concrete rules limiting or excluding certain
practices of data collection by companies. It seems that
the ‘Notice’ principle may allow companies to make any
use of personal information that would serve their busi-
ness purpose, as long as consumers accept it. In case of
disclosure of unfair or deceptive practices, the con-
sumer’s consent would be invalid. But what company
would openly disclose deceptive practices? Due to this,
many websites like Google and Facebook disclose how
they monitor, collect, and share personal information
with third parties to comply with the ‘Notice’ principle,
but they often use ambiguous terms that misrepresent
how much information is collected and how it is used.
The Federal Trade Commission has occasionally
brought enforcement actions against companies for fail-
ing to adequately disclose the information they collect,
64 Solove and Hartzog (n 15) 583, 597.
65 For example, the Spanish Supreme Court has confirmed that the terms of
use of an air company website (Ryanair Ltd) does not constitute a con-
tract with a searcher of flight data of low-cost air companies (Edreams
SL) and has, therefore, rejected the binding nature of the following con-
dition imposed by the terms of use of Ryanair: ‘You are not permitted to
use this website other than for private, noncommercial purposes. Use of
any automated system or software to extract data from this website for
commercial purposes (“screen scraping”) is prohibited.’ Spanish
Supreme Court Ruling of 30 October 2012, Judgment No 630/2012.
66 Solove and Hartzog (n 15) 583, 595.
67 See Tene (n 30) 1433, 1463.
68 D Solove, ‘Introduction: Privacy Self-management and the Consent
Dilemma’ (2012–13) 126 Harvard Law Review 1880, 1880.
69 See Federal Trade Commission (n 14) 7 (iii of the Executive Summary).
 on Esteve
Google, Facebook, and privacy issues
Asunci
as they have used vague language to hide deceptive
practices.70
In fact, another important reason that invalidates
Google and Facebook users’ consent is the inadequate
disclosure about the information that Google and
Facebook make available to advertisers. Users are not
aware of giving their personal data to Google and
Facebook whenever they use their services. Users may
be aware of the personal data they provide to Facebook
and Google when they explicitly give their data
through registration forms or share the data with
friends in social network contexts. But to what extent
are they aware of their personal data being automati-
cally stored by Google and Facebook via cookies,
search query logs, and local storage? Most users ignore
the fact that they are providing information about
their family, friends, professional activities, location,
and the devices they use when using Google or
Facebook’s services. A Wall Street Journal investigation
revealed that many Facebook apps were not only pro-
viding data to advertisers but also linking it directly to
their friends’ names, and users’ friends were not noti-
fied if information about them was used by a friend’s
app.71 If users cannot even identify the personal infor-
mation they are giving up, it becomes especially chal-
lenging for them to determine whether their privacy
has been violated.72
This problem is connected with another: Google and
Facebook explain how they share this information with
third parties in such broad terms that they allow them to
use it for purposes beyond the provision of their services.
Their privacy polices explain that they share information
with ‘partners’, ‘subsidiaries’, ‘customers’, ‘affiliated com-
panies or other trusted businesses or persons’, and ‘compa-
nies, organisations, individuals outside Google’, but they
do not explicitly specify the purpose of the data transfers
and the reasons that may justify them.73 In a survey of
Facebook users collected by the Helsinki School of
Economics, the majority (73 per cent) of those who were
said to have read Facebook’s privacy policy, were not
70 See FTC Complaint Re Sears Holdings Management Corporation, FTC File
No 0823099 No C-4264 (31 August 2009) available at < https://www.ftc.
gov/enforcement/cases-proceedings/082-3099/sears-holdings-manage
ment-corporation-corporation-matter> accessed 26 January 2017, and
FTC Complaint for Permanent Injunction and Other Equitable Relief,
FTC v Echometrix, Inc, No CV 10-5516 (EDNY, 30 November 2010)
<https://www.ftc.gov/enforcement/cases-proceedings/102-3006/echome
trix-inc> accessed 26 January 2017.
71 Rubinstein and Good (n 4) 1333, 1397.
72 MS Wagner, ‘Google Glass: A Preemptive Look at Privacy Concerns’
(2013) 11 Journal on Telecommunications & High Technology Law
477, 478.
73 For example, Google explains: ‘We will share personal information with
companies, organisations or individuals outside Google when we have
your consent to do so. We require opt-in consent for the sharing of any
ARTICLE 43
aware that Facebook could, according to this policy,
share their information with outside parties for market-
ing purposes.74
Some EU scholars have highlighted that some of
these practices contravene the principles of fair and le-
gitimate processing of the EU Directive. According to
Article 6 of the EU Personal Data Protection, personal
data must be collected for specified and explicit pur-
poses, not further processed in a way incompatible with
those purposes, and they must be adequate, relevant,
and not excessive in relation to the purposes for which
they were collected.
They have pointed out that search engines should be
very clear about the extent of correlation of data across
services and only proceed on the basis of consent75 and
have observed that Google and Facebook’s practices of
collecting personal data show a difference between data
given for original purposes (to provide better services)
and personal data used for secondary purposes (adver-
tising).76 It seems clear that their privacy policies are
opaque about data used for secondary purposes, and
thus they infringe upon Article 6 of the Directive which
states that personal data must be collected for specified
and explicit purposes. Besides, if one considers the
amount of personal data that Google and Facebook
should use in order to successfully provide their ser-
vices and compares it with the vast amount of personal
data they collect and process for this purpose, the dis-
proportion is huge. This contravenes Article 6 manda-
tory rule of the Directive that personal data must be
‘adequate, relevant and not excessive’ in relation to the
purposes for which they are collected and further
processed.
In USA, due to the lack of specific regulation such as
Article 6 of the EU Directive, it has been argued that the
unlawful transfer of personal information by Google
to third parties may fall under the Electronic
Communications Privacy Act enacted in 1986.77 The
Electronic Communications Privacy Act consists of three
statutes; the Wiretap Act, the Pen Register Act, and the
sensitive personal information.’ See Google privacy policy/Information
we share. Facebook indicates: ‘We transfer information to vendors, ser-
vice providers, and other partners who globally support our business
such as providing technical infrastructure services, analysing how our
Services are used, measuring the effectiveness of ads and services, provid-
ing customer service.’ Facebook data policy/How is this information
shared?
74 O Pitk€anen and VK Tuunainen, ‘Disclosing Personal Data Socially – An
Empirical Study on Facebook Users’ Privacy Awareness’ (2012) 8 Journal
of Information Privacy & Security 3, 19.
75 Burgstaller (n 55) 104, 111.
76 See Wong (n 4) 142, 144.
77 Tene (n 30) 1433, 1476–82.
44 ARTICLE
Stored Communication Act (SCA). The SCA, which
applies to communication stored by third parties, is most
relevant to search engine and social network practices of
users’ privacy. Assuming that search queries constitute
‘contents of communication’ and that Google can be con-
sidered a ‘remote computing services provider’, voluntary
disclosure of user search queries is prohibited, regardless
of whether such disclosure is made to a government or
non-government entity. But Section 2702(b) of the SCA
sets forth seven exceptions to this rule. According to one
of them, a service provider may divulge contents of a
communication to a government or non-government en-
tity ‘with the lawful consent of the subscriber’. Thus, when
users are not clearly informed about how his/her personal
data will be shared with advertisers, there is an unaccept-
able basis for disclosure of communication content under
SCA.78 The same reasoning can be applied to Google and
Facebook’s unlawful transfer of users’ personal data.
Tort law, in particular the tort of breach of confiden-
tiality, has also been suggested by US scholars as a
mechanism to protect users’ privacy, without eliminat-
ing the ability of search engines or social networks to
make lawful use of the data they collect.79 The tort of
appropriation was rejected by courts as a means of pro-
tecting against the sale of personal information.80
However, the US law’s chief reaction to the new practice
by companies of collecting and sharing personal infor-
mation has not been through tort law, but Fair
Information Practice Principles.81
The ‘Choice’ Fair Information Practice Principle re-
quires companies to offer consumer choices as to how
their personal identifying information is used beyond
the use for which the information was provided.82 The
Federal Trade Commission has often required compa-
nies to make modifications to their privacy policies to
better notify users that their personal information is be-
ing collected, used, and shared,83 as these practices are
considered to be unfair acts that violate the Federal
Trade Commission Act.84 In Re Google Inc, the Federal
Trade Commission charged Google with violating the
Federal Trade Commission Act in connection with
Google’s launch of its social networking tool ‘Google
78 Ibid 1433, 1480.
79 Ibid 1433, 1486–90.
80 Solove and Hartzog (n 15) 583, 590.
81 PM Schwartz, ‘Preemption and Privacy’ (2009) 118 Yale Law Review
902, 907.
82 See Federal Trade Commission (n 14) 7 (iii of the Executive Summary).
83 Solove and Hartzog (n 15) 583, 617.
84 Sony BMG Music Entertainment agreed to settle FTC charges that it vio-
lated federal law when it sold CDs without telling consumers that con-
tained technology that monitored their listening habits. See <https://
www.ftc.gov/enforcement/cases-proceedings/062-3019/sony-bmg-music-
entertainment-matter> accessed 26 January 2017.
International Data Privacy Law, 2017, Vol. 7, No. 1
Buzz’ because Google led users to believe that they
could choose whether or not they joined the Buzz net-
work but the options for declining were essentially inef-
fective.85 Facebook also had problems in the USA as a
result of not giving users control over how their infor-
mation was shared. In 2010 Facebook announced two
new features: social plug-ins (which added ‘like’ and
‘recommend’ buttons to third-party websites without
clearly indicating to users when their profile might be
shared with these websites) and ‘instant personalization’
(which allow a few select partners to personalize their
web pages by using personal information that Facebook
disclosed without a user’s explicit consent). These
changes were immediately and widely criticized by pri-
vacy advocates, bloggers, and Members of the Congress,
and led the Electronic Privacy Information Center
(EPIC) to file a complaint against Facebook with the
Federal Trade Commission.86
Therefore, although both the US and the EU’s legisla-
tive regimes offer mechanisms to protect Google and
Facebook users from unlawful sharing of their personal
data with third parties, the EU Directive protection
seems more effective than US law, since it requires the
user to ‘unambiguously consent’ (Article 7) and deter-
mines lawful practices of collecting personal data
(Article 6).
Insufficient user access and control of their
personal information
One of the key achievements of the EU Directive has
been to establish the data subject rights regarding per-
sonal data when they are being processed. The EU
Directive guarantees data subjects ‘the right of access’
(Article 12) to their personal data that is being pro-
cessed, and the ‘right to object’ to the processing
(Article 14).
According to Article 12 of the EU Directive, ‘the right
of access’ means that the individual may obtain from
the controller confirmation of data relating to him that
are being processed and information of purposes of
processing, rectification, or blocking of data which does
85 See FTC Complaint Re Google Inc, 13 October 2011, FTC File 1023136
No C-4336 available at <https://www.ftc.gov/enforcement/cases-proceed
ings/google-inc>. The FTC alleged that Google misrepresented to users
of its Gmail service that: (i) Google would not use their information for
any purpose other than to provide email service; (ii) users would not be
automatically enrolled in the Buzz network; and (iii) users could control
what information would be public on their Buzz profiles.
86 Rubinstein and Good (n 4) 1333, 1402. See Complaint, Request for
Investigation, Injunction, and Other Relief, Facebook, Inc, EPIC, FTC
No 0923184 (5 May 2010) <http://epic.org/privacy/facebook/EPIC_
FTC_FB_Complaint.pdf> accessed 26 January 2017.
 on Esteve
Google, Facebook, and privacy issues
Asunci
not comply with the Directive, and notification to third
parties to whom data have been disclosed. According to
Article 14 of the EU Directive, ‘the right to object’
grants individuals the claim to object the processing of
his data at any time on compelling legitimate grounds
and when the controller anticipates that his data is being
processed for marketing purposes.
The ‘right of access’ and the ‘right to object’ grant
data subjects a more powerful ownership of their per-
sonal data than that of the right of property in tangible
goods. Even if they agree to transfer their personal data,
data subjects are empowered to control the data and
even to ask the controller to cancel said data. These two
rights show how personal data protection in Europe is
deep-rooted in the fundamental right of privacy.
Google and Facebook do not respect ‘the right of ac-
cess’ and ‘the right to object’ of their users. For example,
their privacy policies never mention that users can have
access to their personal data in order to erase them, or
that they can complain if their data is retained longer than
necessary. In practice, the major search engines retain data
of their users in personally identifiable form for over a
year, whereas the Article 29 Working Party does not see a
basis for a retention period beyond six months.87 Neither
company guarantees users the total removal of their per-
sonal data when they log out from their services or gives
them a degree of control over what happens to their ac-
counts when they die.88 These practices, which are carried
out not only by Google and Facebook but by other search
engines and social networks (Myspace, Real Networks,
Instagram, Yahoo, etc) make some EU scholars condemn
these companies’ lack of respect for privacy rights. They
consider that they develop ‘a business model aimed at
undermining a fundamental right’.89
There are no such concepts as the ‘right of access’ or
the ‘right to object’ in US privacy regulation. The
Fourth Amendment provides ‘the right of the people to
be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not be
violated, and no warrants shall issue, but upon probable
cause . . .’. But the Fourth Amendment protects individ-
uals from government search and seizure. It does not
apply to the private sector and therefore, does not limit
87 Burgstaller (n 55) 104, 113.
88 J. Mazzone, ‘Facebook’s Afterlife’ (2011–12) 90 North Carolina Law
Review 1643, 1685.
89 Helberger and others (n 2) 163.
90 Tene (n 30) 1433, 1470.
91 See Federal Trade Commission (n 14) 7 (iii of the Executive Summary).
92 See The Executive Office of the President (n 49) 19.
93 Rubinstein and Good (n 4) 1333, 1403.
94 Google declares that ‘we may share aggregated, non-personally identifiable
information publicly and with our partners – like publishers, advertisers or
ARTICLE 45
Google or Facebook from collecting, using, retaining, or
transferring data to corporate third parties. Because of
this, the constitutional doctrine for privacy protection
in the USA has been qualified as overly narrow and out-
dated, particularly in light of the market and the tech-
nological developments of the past three decades.90
In the absence of federal law governing the collection,
retention, and use of personal data by commercial web-
sites, the Federal Trade Commission requires them to
comply with the Fair Information Practice Principle of
‘Access’. According to the ‘Access’ principle, commercial
websites that collect personal identifying information
should offer consumers reasonable access to the infor-
mation collected about them, including a reasonable op-
portunity to review information, correct inaccuracies, or
delete information.91 Moreover, the Consumer Privacy
Bill of Rights recognizes that consumers have a right to
access and correct personal data (access and accuracy)
and declares that companies also should ‘provide con-
sumers with reasonable access to personal data that they
collect or maintain about them, as well as the appropri-
ate means and opportunity to correct inaccurate data or
request its deletion or use limitation’.92
Therefore, US data subjects can file complaints
against the Federal Trade Commission if Google and
Facebook do not provide access to their data or if they
do not erase personal data when users choose to log
out. In fact, in September 2011, privacy advocates asked
the Federal Trade Commission to ban Facebook’s use of
the ‘Like’ button which continued to track users even
after they had logged out of Facebook.93
However, the EU Directive not only provides data
subjects with a ‘right of access’ and a ‘right to control’,
but also determines the specific scope of both rights.
With respect to this, EU legislation offers a more inten-
sive defence of personal data than US legislation.
Risk of re-identifying anonymous personal data
Google and Facebook’s privacy policies declare that they
share users’ information with third parties when they
have removed all personally identifiable information
from the data.94
connected sites’. See Google privacy policy/Information that we share. Non-
personally identifiable information is a Key Term that is defined in Google’s
privacy policy as ‘information that is recorded about users so that it no lon-
ger reflects or references an individually identifiable user’. Facebook states
that ‘We do not share information that personally identifies you (personally
identifiable information is information like name or email address that can
by itself be used to contact you or identifies who you are) with advertising,
measurement or analytics partners unless you give us permission.’ See
Facebook data policy/How is this information shared?
46 ARTICLE
These longstanding practices are viewed as unobjec-
tionable because they are not based on personally iden-
tifiable information. All such data collection is done
anonymously. However, the distinction between identi-
fiable and non-identifiable information has become
considerably weakened, both as a matter of scientific
principle and a matter of policy.95 Case studies and re-
search publications have shown how difficult it is to cre-
ate a truly anonymous dataset while retaining as much
of the underlying information as required for the task.96
Article 2 of the EU Directive defines ‘personal data’
as ‘any information relating to an identified or identifiable
natural person’. Therefore, personally identifiable infor-
mation or personal data is any piece of information that
can potentially be used to uniquely identify, contact, or
locate a single person.97
When does personal data become completely irre-
versible anonymized data? Is it enough to remove
the name from the users’ logged information? The an-
swer is negative. For example, cookies and IP addresses
constitute ‘personally identifiable information’. Contrary
to anonymized data, persistent cookies containing a
unique user ID are clearly personal data and therefore
subject to applicable data protection legislation.98
Article 29 Working Party is of the view that IP
addresses fall under the definition of personal data, be-
cause although IP addresses in most cases are not di-
rectly identifiable by search engines, identification can
be achieved by a third party.99
It was requested by the German Supreme Court that
the Court of Justice of the EU provides a preliminary rul-
ing to resolve whether an IP address stored by a service
provider constitutes personal data as an access provider
can identify the data subject.100 Obviously, this poses a
serious problem to Google and Facebook’s behavioural
advertising methods, such as remarketing. The Article 29
Working Party notes that behavioural advertising meth-
ods often entail the processing of personal data. This is
due to various reasons: first, behavioural advertising nor-
mally involves the collection of IP addresses and the pro-
cessing of unique identifiers (through the cookie) that
95 McLaughlin (n 30) 55, 70.
96 See Article 29 Working Party, ‘Opinion 05/2014 on Anonymisation
Techniques’, 3 <http://ec.europa.eu/justice/data-protection/article-29/
documentation/opinion-recommendation/files/2014/wp216_en.pdf>
accessed 26 January 2017.
97 Pitk€anen and Tuunainen (n 74) 3, 39.
98 Burgstaller (n 55) 104, 110.
99 See Article 29 Working Party, ‘Opinion 1/2008 on Data Protection Issues
Related to Search Engines’, April 2008, 8 <http://ec.europa.eu/justice/
data-protection/article-29/documentation/opinion-recommendation/
files/2008/wp148_en.pdf> accessed 26 January 2017.
100 Preliminary ruling from the German Supreme Court lodged on
17 December 2014—Patrick Breyer v Bundesrepublik Deutschland (Case
C–582/14), Official Journal of the European Union, 2015/C 089/05—The
International Data Privacy Law, 2017, Vol. 7, No. 1
allows the tracking of users of a specific computer even
when dynamic IP addresses are used; secondly, the infor-
mation collected in the context of behavioural advertising
relates to a person’s characteristics or behaviour and it is
used to influence that particular person.101
Therefore, although Google and Facebook affirm that
they only provide data to their advertising partners after
they have removed the user’s name and other personally
identifying information from it, their behavioural ad-
vertising methods—for example, remarketing—are
based on cookies and IP address identification in such a
way that many times the data used is not anonymous.
Some US authors also share this opinion.102
So, both sides of the ocean are quite sceptical about
Google and Facebook’s guarantees of keeping the per-
sonal data anonymous that they collect and share with
third parties.
Conclusions
There are three main assumptions about the contrast
between the US and the EU’s approaches to privacy and
data protection: (i) Europe believes in protecting data
privacy as a fundamental right, whereas the US legal tra-
dition is different; (ii) Europe is concerned about inva-
sion of privacy by big corporations, while the USA cares
instead about invasion of privacy by big government;
and (iii) Europe believes in comprehensive legislation
while the USA supports self-regulation and multi-
stakeholder processes.103 However, the truth is that
Google and Facebook could be sued both in US and EU
courts for unlawful practices regarding the use of per-
sonal data, although EU legislation provides users with
more effective and complete protection.
Google and Facebook offer their services to users and
benefit in return from the personal data of their cus-
tomers, which needs some specific regulation. In the
USA, most Federal data privacy statutes apply only to
specific sectors such as healthcare, education, communi-
cations, and financial services or, in the case of online
data collection, to children.104 In the absence of specific
question referred is: ‘Must Article 2(a) of Directive 95/46/EC of the
European Parliament be interpreted as meaning that an Internet Protocol
address (IP address) which a service provider stores when his website is
accessed already constitutes personal data for the service provider if a
third party (an access provider) has the additional knowledge required in
order to identify the data subject?’
101 See Article 29 Working Party (n 38) 9.
102 See Tene (n 30) 1433, 1452; McLaughlin (n 30) 55, 75–6.
103 See P Swire, ‘Peter Hustinx and Three Clichés about EU-US Data
Privacy’ in Data Protection Anno 2014: How to Restore Trust?
Contributions in Honour of Peter Hustinx, European Data Protection
Supervisor (2004–14) <http://peterswire.net/publications_post/peter-hus
tinx-three-cliches-e-u-u-s-data-privacy/> accessed 26 January 2017.
104 See The Executive Office of the President (n 49) 6.
 on Esteve
Google, Facebook, and privacy issues
Asunci
legislation on consumer data privacy, US government
agencies and self-regulators should provide a framework
to safeguard consumers’ rights. But one wonders if the
market is capable of self-regulation when consumers are
not fully aware of what personal data they are giving
up.105 In other words, US corporations are taking ad-
vantage of ‘self-regulation’ and commercially benefitting
because such a form of regulation itself is impossible to
achieve due to a lack of informed consent. For this rea-
son, US privacy legislation should be rapidly adapting
to the new range of business models based on exploiting
personal data as a means of making money.
Some people believe that the European model is
more appropriate to deal with today’s technological
landscape.106 However, because the EU Directive is
based on privacy as a fundamental right, it provides a
protection that is too intensive for personal data when
they are processed by companies. Almost any processing
of personal data falls under the scope of the EU
Directive and requires consent by the person concerned.
The recently adopted EU General Data Protection
Regulation even includes stricter conditions for
105 See Schinasi (n 39) 569, 583.
106 Ibid 569, 610.
107 Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such
data, and repealing Directive 95/46/EC (General Data Protection
Regulation), see the press release at <http://www.europarl.europa.eu/
news/en/news-room/20160407IPR21776/Data-protection-reform-Parlia
ARTICLE 47
consent.107 However, in some cases, personal data is
processed by companies in such a way that it does not
intrude upon privacy. In other words, not all personal
information collection is harmful, but certain kinds of
collection can be.108
This shows how protecting privacy requires careful
balancing, as neither privacy nor its countervailing in-
terests are absolute values.109 Legal frameworks that
constantly constrain how personal data can be linked,
shared, and used (such as collection limitations, pur-
poses specifications, and use limitations) are becoming
increasingly less effective and anachronistic in today’s
hyper-connected world.110 It is necessary to rethink the
adequate legal protection of personal data without re-
straining innovation and the development of new com-
munication techniques. But it is also necessary for
Google and Facebook to stop applying intrusive tech-
niques and find safer ways to develop their business.
doi:10.1093/idpl/ipw026
ment-approves-new-rules-fit-for-the-digital-era> accessed 26 January
2017.
108 See D Solove, ‘A Taxonomy of Privacy’ (2006) 154 University of
Pennsylvania Law Review 477, 488.
109 Ibid 477, 558.
110 See ‘Unlocking the Value of Personal Data’ (n 50) 4.