OAIC joins with global privacy regulators to call for more information from the Libra Network

Date: 6 August 2019
Tags: statement media release

International data protection and privacy regulators are calling on Facebook and the Libra Network to explain how they will secure and protect personal information as part of their global cryptocurrency project.

The joint action has been driven by the Office of the Australian Information Commissioner and the UK Information Commissioner’s Office and backed by data protection authorities from the United States, Canada and the European Union.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said: “This is an important step in a global regulatory movement that is holding online companies to account for how they handle personal information.

“Given the many initiatives taking place in our finance and technology sector, privacy must be a key component of any significant digital initiative such as Libra.”

Joint statement on global privacy expectations of the Libra Network

As representatives of the global community of data protection and privacy enforcement authorities, collectively responsible for promoting the privacy of many millions of people around the world, we are joining together to express our shared concerns about the privacy risks posed by the Libra digital currency and infrastructure. Other authorities and democratic lawmakers have expressed concerns about this initiative. These risks are not limited to financial privacy, since the involvement of Facebook Inc., and its expansive categories of data collection on hundreds of millions of users, raises additional concerns. Data protection authorities will also work closely with other regulators.

Many of us in the regulatory community have had to address previous episodes where Facebook’s handling of people’s information has not met the expectations of regulators, or their own users. Because of this, we are sharing our expectations of the Libra Association, Facebook’s subsidiary Calibra, and any future Libra digital wallet provider (collectively referred to as the Libra Network) in protecting the personal information it will handle.

We, the signatories to this statement, represent a cross section of the data protection regulation community. And while there are differences in our regulatory frameworks and cultures, the potential risks associated with the Libra Network and our expectations of the Libra Network to protect personal information are common to us all. We are supportive of the economic and social benefits that new technologies can bring, but this must not be at the expense of people’s privacy.

In today’s digital age, it is critical that organisations are transparent and accountable for their personal information handling practices. Good privacy governance and privacy by design are key enablers for innovation and protecting data – they are not mutually exclusive.

To date, while Facebook and Calibra have made broad public statements about privacy, they have failed to specifically address the information handling practices that will be in place to secure and protect personal information.

Additionally, given the current plans for a rapid implementation of Libra and Calibra, we are surprised and concerned that this further detail is not yet available.

The involvement of Facebook Inc. as a founding member of the Libra Association has the potential to drive rapid uptake by consumers around the globe, including in countries which may not yet have data protection laws in place. Once the Libra Network goes live, it may instantly become the custodian of millions of people’s personal information.

This combination of vast reserves of personal information with financial information and cryptocurrency amplifies our privacy concerns about the Libra Network’s design and data sharing arrangements.

We expect that the Libra Network will satisfactorily address the following questions:

  1. How can global data protection and privacy enforcement authorities be confident that the Libra Network has robust measures to protect the personal information of network users?

    In particular, how will the Libra Network ensure that its participants will:

    1. provide clear information about how personal information will be used (including the use of profiling and algorithms, and the sharing of personal information between members of the Libra Network and any third parties) to allow users to provide specific and informed consent where appropriate;
    2. create privacy-protective default settings that do not use nudge techniques or “dark patterns” to encourage people to share personal data with third parties or weaken their privacy protections;
    3. ensure that privacy control settings are prominent and easy to use;
    4. collect and process only the minimum amount of personal information necessary to achieve the identified purpose of the product or service, and ensure the lawfulness of the processing;
    5. ensure that all personal data is adequately protected; and
    6. give people simple procedures for exercising their privacy rights, including deleting their accounts, and honouring their requests in a timely way.
  2. How will the Libra Network incorporate privacy by design principles in the development of its infrastructure?
  3. How will the Libra Association ensure that all processors of data within the Libra Network are identified, and are compliant with their respective data protection obligations?
  4. How does the Libra Network plan to undertake data protection impact assessments, and how will the Libra Network ensure these assessments are considered on an ongoing basis?
  5. How will the Libra Network ensure that its data protection and privacy policies, standards and controls apply consistently across the Libra Network’s operations in all jurisdictions?
  6. Where data is shared amongst Libra Network members:
    1. what data elements will be involved?
    2. to what extent will it be de-identified, and what method will be used to achieve de-identification?
    3. how will Libra Network ensure that data is not re-identified, including by use of enforceable contractual commitments with those with whom data is shared?

We look forward to receiving a response from the Libra Network answering these questions, which represent a non-exhaustive list. Data protection authorities may individually follow up with Libra with more specific questions as the proposals and service offering develops.

We also expect all organisations involved to comply with relevant data protection and privacy laws. These laws apply online, just as they do in the physical world.

Strong privacy safeguards are the foundation for innovation in the digital world. As data protection and privacy enforcement authorities we will work together to assert this at a global level, and we encourage all organisations to engage with data protection and privacy authorities when developing services with significant implications for privacy.

Besnik Dervishi
Information and Data Protection Commissioner
Albania

Angelene Falk
Australian Information and Privacy Commissioner
Australia

Daniel Therrien
Privacy Commissioner
Canada

Marguerite Ouedraogo Bonane
President of the Commission for Information Technology and Civil Liberties
Burkina Faso

Giovanni Buttarelli
European Data Protection Supervisor
European Union

Elizabeth Denham CBE
Information Commissioner
United Kingdom

Rohit Chopra
Commissioner of the Federal Trade Commission
USA

Background

On 18 June 2019, the Libra Association announced a project to create a global cryptocurrency using blockchain technology (the Libra Blockchain). Facebook, a founding member of the Libra Association, also announced the creation of its subsidiary, Calibra, which would participate in the Libra Blockchain.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au