Facebook changes policy after investigation by Dutch Data Protection Authority

Facebook has changed its personal data policy following an investigation by the Dutch Data Protection Authority (Dutch DPA). Aleid Wolfsen, the chair of the Dutch DPA said, ‘Ensuring that Facebook complies with the new privacy law is a matter for the EU as a whole. Since Facebook has its headquarters in Ireland, the Irish authorities have the leading role, but obviously they will be working with the other European data protection bodies.’

Changes urged by the Dutch DPA

Facebook has changed its personal data policy, partly in response to the investigation by the Dutch DPA. Users are now given more extensive information about:

  • the nature of the personal data being processed;
  • the reason the data is being processed;
  • how and with whom personal data is shared; and
  • the legal basis for the processing.


In 2017 the Dutch DPA determined that Facebook was acting unlawfully in two respects:

  • It was not adequately informing users about the fact that their personal data was being used for targeted advertising.
  • It was processing information about people’s sexual orientation for commercial purposes without the users’ explicit permission. Previously, Facebook allowed advertisers to target individuals on the basis of their sexual orientation, which users have the option of indicating in their profile. At the urging of the Dutch DPA, Facebook scrapped this option for European users in 2017.

Further investigation

Like other European data protection bodies, the Dutch DPA has questions about the new privacy policy, the legality of processing personal data and the new privacy menu. A new European privacy law, the General Data Protection Regulation (GDPR), took effect on 25 May 2018.

As a result, investigations of this nature no longer need to be carried out by the individual data protection body in every country; they can now be conducted EU-wide. In this instance the Irish body will play the leading role.

Winkelend publiek