Why Facebook fears new privacy rules
The social media giant may be required to stop misleading users and customers about practices central to its business model
Facebook chief executive officer Mark Zuckerberg and chief operating officer Sheryl Sandberg have apologised (again and again) for the company’s handling of user data. The best indication that they aren’t actually sorry, however, is Facebook’s intention to change its terms of service to put all non-European users under the jurisdiction of its United States headquarters, rather than the international headquarters in Dublin, Ireland. That means users in Africa, Asia, Australasia and Latin America won’t be covered by the European Union’s General Data Protection Regulation (GDPR), effective May 25. Britain may also get a carveout after Brexit.
Facebook’s admission of the planned change comes immediately after the company effectively promised to apply GDPR protections to the entire world. “Today we’re introducing new privacy experiences for everyone on Facebook as part of the EU’s General Data Protection Regulation (GDPR), including updates to our terms and data policy,” the company wrote in a blog post on Wednesday. “Everyone — no matter where they live — will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook.”
But once non-European users’ agreements are no longer with Facebook Ireland, now responsible for all of the company’s activities outside North America, they won’t be able to hold the company legally responsible for GDPR violations. In effect, they’ll be subject to toothless US privacy laws.
Under the GDPR, companies can be fined up to 4 per cent of their annual global revenue for not having sufficient customer consent to process data or ignoring the “privacy by design” principle that states customers’ privacy rights must be handled as a core feature of the product, not an afterthought. In Facebook’s case, that’s $1.6 billion (Dh5.88 billion) based on 2017 revenue. It’s natural for the company to try to limit its exposure to that kind of punishment, but it undermines its narrative of contrition and a commitment to privacy.
It’s worth taking stock of what the GDPR requires. Perhaps most importantly, the regulation demands a detailed approach to asking for consent to process personal data. Consent must be received for each separate data collection practice, explicitly, in clear and plain language. Consent must also be “as easy to withdraw as to give”, and use of the service shouldn’t be conditional on a customer’s consent to the collection of personal data that is not directly necessary for the service itself.
The “Privacy Settings and Tools” section of a user’s profile doesn’t ask for consent to any kind of data collection. Nor does the Data Policy contain any links to consent forms for particular types of data harvesting.
Incomprehensible legal document
On all these points, Facebook currently fails. The “Privacy Settings and Tools” section of a user’s profile doesn’t ask for consent to any kind of data collection. Nor does the Data Policy contain any links to consent forms for particular types of data harvesting. Some of these forms are hidden in the “Ads” section of the profile, where most people wouldn’t look for them, and even there, I’m not asked directly to agree to give up my data.
For example, Facebook informs me that I’ve been accurately placed in the advertising category “Returned from travels 1 week ago” — but I have no idea how it knows that, since I haven’t posted anything on Facebook from my most recent trips nor explicitly agreed anywhere to provide that information to advertisers. I may have clicked to approve some long, incomprehensible legal document at some point to give Facebook access to my location data, but that won’t wash in Europe starting May 25. All I can do about it now is delete the ad category, but that won’t stop Facebook from continuing to collect the information.
In its most recent post, Facebook uses elliptical language to promise to ask users whether they want to let it “use data from partners” to target advertising. If it took GDPR seriously, it would use plainer language: “For years, we have been collecting data about your browsing and app use outside Facebook. We use the data to place you in categories advertisers can select when buying our ads. May we continue or would you like us to stop?” That would comply with the clarity requirement and with the GDPR provision that users can object.
To quote Facebook itself, “it’s time” for the company to come clean about the data it has collected for which it doesn’t have user consent under the GDPR, and to start systematically informing advertisers and investors about the number of users who have refused to provide such data. So far, Facebook hasn’t even provided accurate information about the number of fake accounts in its user base.
The Pivotal Research note, for example, asserts that there were 287.4 million false and duplicate accounts among Facebook’s reported 2.1 billion users. In 2017, according to the note, the reported user base grew by 269 million accounts, but 142 million of them — almost 53 per cent — were fakes and duplicates. Add all the people who will opt out of providing data when (if ever) they are asked clearly about it, and Facebook’s ability to sell targeted ads may be severely impaired.
If Facebook actually complies with the rules, its business performance will be an indicator of how the whole company can perform if required to stop misleading users and customers about practices central to its business model. Investors should follow it closely: Privacy rules will inevitably be tightened outside Europe someday, too.