In the wake of Facebook's ongoing privacy scandal, lawmakers and pundits alike have cited the European Union’s General Data Protection Regulation (GDPR) as a possible solution for users. Currently, the GDPR would require Facebook to apply these regulations to 1.9 billion users worldwide. Naturally, Facebook is fighting tooth and nail to wriggle out of it.
The GDPR, a set of laws governing what kind of data tech companies can collect on users, requiring explicit opt-in consent from users as well as more transparency when it comes to breaches, goes into effect on May 25th, 2018. But why would European law apply to Facebook users outside of Europe?
In a surprise twist, Facebook's previous attempts to circumvent its obligations may have landed the company between a rock and a hard place.
Facebook, like many other US tech companies, has its international headquarters in Ireland, an EU country, in order to take advantage of the country’s low corporate tax rates. Because of this, all Facebook users outside the US and Canada are governed by terms of service established in this international HQ, and thus protected by GDPR.
These international users include 1.5 billion Facebook members in Africa, Asia, Australia and Latin America, over 70% of Facebook's base of users. But the social network is making moves to ensure that they are excluded from the upcoming consumer protections.
According to Reuters, Facebook is moving quietly to make the case for only complying with GDPR for its European users. The company is keen to reduce its exposure to GDPR, as the law imposes fines up of to 4 percent of global annual revenue for collecting or using personal data without users’ consent. In Facebook-level money, that could mean billions of dollars.
Facebook's maneuvering came as a surprise to Irish officials, one of which told Reuters he was unaware of the change. But Facebook released revised terms of service in draft form two weeks ago, and they are scheduled to take effect next month, in time to combat GDPR.
Regulation like the GDPR would mean that Facebook would suffer serious financial consequences if the company was found to be as lax with user data as it was in the Cambridge Analytica affair. It would also give individual users more control over their personal data, and the 'right to be forgotten', or remove data that Facebook has gathered on them. It would also hamper Facebook's practice of 'shadow profiles', or files gathered on people who never signed up to the social network.
Mark Zuckeberg himself, during his congress hearings, has made approving noises of GDPR as a potential solution to the social network's privacy problems, but the Facebook CEO always stopped short of promising these protections to all its users in the US and elsewhere.
Facebook claims to apply privacy protections 'in spirit'
Zuckerberg previously told Reuters in an interview that his company would apply the EU law globally "in spirit", but it's clear that Facebook will do its best to avoid having to adopt this standard in practice.
If Facebook's move succeeds, these 1.5 billion users will be governed by more lenient US privacy laws. This will give Facebook more control to collect and use certain types of data such as browsing history, for instance, which is considered personal data under EU law but not protected under US law.
Facebook claims that it wishes to exclude these users “because EU law requires specific language” and terminology not used in US law. Naturally, a company wishes to be under the most lax regulation possible, which is what prompted the establishment of the Ireland HQ in the first place. Now that it's not so convenient, it's time for Facebook to regroup.
When faced with real consequences for being irresponsible with user data, Facebook will attempt to withdraw protections, not extend them.
For Facebook users in the social network's home country of the United States, the company's legal wriggling abroad should come as a warning sign. Despite the corporation's high-minded language, when faced with real consequences for being irresponsible with user data, Facebook will try its hardest to withdraw protections, not extend them.
What do you think? Should the US apply the same pressure on Facebook to protect citizens at home?