The Office of the Australian Information Commissioner and its counterparts in the UK, US, Canada and EU have called on Facebook and its subsidiary Calibra will ensure personal information is protected when as the Libra cryptocurrency project is rolled out.
“To date, while Facebook and Calibra have made broad public statements about privacy, they have failed to specifically address the information handling practices that will be in place to secure and protect personal information,” a joint statement issued by the regulators said.
“Additionally, given the current plans for a rapid implementation of Libra and Calibra, we are surprised and concerned that this further detail is not yet available.”
Facebook in June this year announced it would launch Calibra with the aim of developing a new digital wallet for Libra. The digital wallet will be available through Facebook’s WhatsApp and Messenger apps as well as a standalone app in its own right.
“From the beginning, Calibra will let you send Libra to almost anyone with a smartphone, as easily and instantly as you might send a text message and at low to no cost,” Facebook said in its announcement. “And, in time, we hope to offer additional services for people and businesses, like paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit without needing to carry cash or a metro pass.”
Facebook said that it would take steps to protect the privacy of Calibra users. “Aside from limited cases, Calibra will not share account information or financial data with Facebook or any third party without customer consent,” the company said. Calibra data will not be used to improve Facebook ad targeting, the announcement said.
A statement released by Calibra said those “limited cases” included working to prevent fraud or criminal activity, compliance with the law and sharing data with payment processors necessary to complete a transaction. However, Calibra said it may also share aggregated data with Facebook or third parties, as well as employ Facebook data (including in some cases to personalise or improve a Calibra feature).
Calibara will “use customer data to facilitate and improve the Calibra product experience, market Calibra products and services, comply with legal and regulatory obligations, and ensure safety, security, and integrity” the Facebook subsidiary’s ‘customer commitment’ document states.
“The involvement of Facebook Inc. as a founding member of the Libra Association has the potential to drive rapid uptake by consumers around the globe, including in countries which may not yet have data protection laws in place,” the joint statement from privacy regulators said. “Once the Libra Network goes live, it may instantly become the custodian of millions of people’s personal information.
“This combination of vast reserves of personal information with financial information and cryptocurrency amplifies our privacy concerns about the Libra Network’s design and data sharing arrangements.”
The statement includes six questions [see below] for Facebook and the Libra Network, focused on how it will protect personal information.
“This is an important step in a global regulatory movement that is holding online companies to account for how they handle personal information,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk.
“Given the many initiatives taking place in our finance and technology sector, privacy must be a key component of any significant digital initiative such as Libra.”
We expect that the Libra Network will satisfactorily address the following questions:
1. How can global data protection and privacy enforcement authorities be confident that the Libra Network has robust measures to protect the personal information of network users?
In particular, how will the Libra Network ensure that its participants will:
a. provide clear information about how personal information will be used (including the use of profiling and algorithms, and the sharing of personal information between members of the Libra Network and any third parties) to allow users to provide specific and informed consent where appropriate;
b. create privacy-protective default settings that do not use nudge techniques or “dark patterns” to encourage people to share personal data with third parties or weaken their privacy protections;
c. ensure that privacy control settings are prominent and easy to use;
d. collect and process only the minimum amount of personal information necessary to achieve the identified purpose of the product or service, and ensure the lawfulness of the processing;
e. ensure that all personal data is adequately protected; and
f. give people simple procedures for exercising their privacy rights, including deleting their accounts, and honouring their requests in a timely way.
2. How will the Libra Network incorporate privacy by design principles in the development of its infrastructure?
3. How will the Libra Association ensure that all processors of data within the Libra Network are identified, and are compliant with their respective data protection obligations?
4. How does the Libra Network plan to undertake data protection impact assessments, and how will the Libra Network ensure these assessments are considered on an ongoing basis?
5. How will the Libra Network ensure that its data protection and privacy policies, standards and controls apply consistently across the Libra Network’s operations in all jurisdictions?
6. Where data is shared amongst Libra Network members:
a. what data elements will be involved?
b. to what extent will it be de-identified, and what method will be used to achieve de-identification?
c. how will Libra Network ensure that data is not re-identified, including by use of enforceable contractual commitments with those with whom data is shared?