The update to the bloc’s data protection framework is intended to strengthen consumers’ control over how their personal data is used by bolstering transparency and consent requirements, and beefing up penalties for data breaches and privacy violations.
In an open letter addressed to founder Mark Zuckerberg, a coalition of US and EU consumer and privacy rights groups urges the company to “confirm your company’s commitment to global compliance with the GDPR and provide specific details on how the company plans to implement these changes in your testimony before the US Congress this week”.
The letter is written by the Trans Atlantic Consumer Dialogue, and co-signed by Jeffrey Chester, the executive director of the Center for Digital Democracy in the US and Finn Lützow-Holm Myrstad, the head of the digital services section at the Norwegian Consumer Council.
“The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process,” they write. “The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located.
“We favor the continued growth of the digital economy and we strongly support innovation. The unregulated collection and use of personal data threatens this future. Data breaches, identity theft, cyber-attack, and financial fraud are all on the rise. The vast collection of personal data has also diminished competition. And the targeting of internet users, based on detailed and secret profiling with opaque algorithms, threatens not only consumer privacy but also democratic institutions.”
Zuckerberg caused confusion about Facebook’s intentions towards GDPR last week when he refused to confirm whether the company would apply the same compliance measures for users in North America — suggesting domestic and Canadian Facebookers, whose data is processed in the US, rather than Ireland (where its international HQ is based), would be subject to lower privacy standards than all other users (whose data is processed within the EU) after May 25 when GDPR comes into force.
In a subsequent conference call with reporters, Zuckerberg further fogged the issue by saying Facebook intends to “make all the same controls available everywhere, not just in Europe” — yet he went on to caveat that by adding: “Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places.”
Privacy experts were quick to point out that “controls and settings” are just one component of the data protection regulation. If Facebook is truly going to apply GDPR universally it will need to give every Facebook user the same high privacy and data protection standards that GDPR mandates for EU citizens — such as by providing users with the right to view, amend and delete personal data it holds on them; and the right to obtain a copy of this personal data in a portable format.
Facebook does currently provide some user data on request — but this is by no means comprehensive. For example it only provides an eight-week snapshot of information to users about which advertisers have told it they have a user’s consent to process their information.
In denying a more fulsome fulfillment of what’s known in Europe as a ‘subject access request’, the company told one requester, Paul-Olivier Dehaye, the co-founder of PersonalData.IO, that it would involve “disproportionate effort” to fulfill his request — invoking an exception in Irish law in order to circumvent current EU privacy laws.
“[Facebook] are really arguing ‘we are too big to comply with data protection law’,” Dehaye told a UK parliamentary committee last month, discussing how difficult it has been to get the company to divulge information it holds about him. “The costs would be too high for us. Which is mindboggling that they wouldn’t see the direction they’re going there. Do they really want to make that argument?”
Whether that situation changes once GDPR is in force remains to be seen.
The new framework at least introduces a regime of much larger penalties for privacy violations — beefing up enforcement with maximum fines of up to 4% of a company’s global annual turnover. So the legal risks of trying to circumvent EU data protection law will inflate substantially in just over a month.
“Consumer groups and privacy groups, human rights groups, civil rights groups will all probably be watching how GDPR is implemented,” Finn Lützow-Holm Myrstad tells TechCrunch. “And will be ready to probably go to court to establish that these are fundamental rights for European citizens at the moment. So we’re definitely going to pay attention.
“But obviously we really want the industry to work with us and to take this seriously because if they don’t there will be a very negative spiral of court cases and a chilling effect for consumers because they will be afraid of using these services. And they will be caught in the middle because of the lack of options that they have when it comes to these services. And I don’t think that’s good for anyone. So we really hope that this is sign of change — real change — from Facebook.”
The company remains under huge pressure following revelations about how much Facebook user information was passed to a controversial political consultancy, Cambridge Analytica, by a developer using its platform to deploy a quiz app as a vehicle for harvesting personal data without most users’ knowledge or consent.
Facebook has said as many as 87M users could have had their data passed to Cambridge Analytica as a result of them or their friends downloading the app in 2014.
Zuckerberg is due to give testimony on this and likely wider issues related to privacy and data protection on his platform to US politicians this week.
One line of questioning might well focus on why Facebook has so studiously ignored years of warnings that it was not adequately locking down access to user data on its platform.
The Norwegian Consumer Council actually filed a complaint about Facebook app permissions all the way back in 2010, writing presciently then: “Third-party applications should only be given access to the information they need in order to function. Facebook should not be able to renounce responsibility for the way in which third parties collect, store or use personal data. As a facilitator and operator Facebook must take direct responsibility for the applications available on the platform.”
Myrstad says Facebook’s response to these sort of privacy complaints has been “sadly very, very little”.
On the contrary, he says the company has made it “really, really difficult to opt out of their tracking, their profiling”. He also describes Facebook’s default settings as “a nightmare” for people to understand. In terms of GDPR compliance, he says he believes Facebook will need to make changes to their business model and alter default settings — at very least for users whose data gets processed via Facebook Ireland.
“They will definitely need to have much better consent mechanisms than they do today. Much less take it or leave it,” says Myrstad. “I think there will be a discussion also in Europe, and I think it’s not yet written in stone yet how this will turn out, but we definitely also think that the amount of tracking that Facebook does by default on other websites will need an actual explicit consent — which there is not today. It’s not possible to opt out of the tracking.
“You can opt out of behavioral advertising but that’s not the same as opting out from tracking. And I think the way they do that today is not in line with GDPR… I think they will actually struggle [to comply]. They’re already struggling under current law in Europe. So they will need to make some fundamental changes to their business model.”
At the time of writing Facebook had not responded to a request for comment.