IE 11 is not supported. For an optimal experience visit our site on another browser.

Facebook talks nice but takes action as European privacy rules loom

A new "privacy experience" comes as Facebook looks to limit its liability

Facebook CEO Mark Zuckerberg has spoken positively of impending European regulations meant to improve consumer data privacy. But as Facebook makes moves to limit its liability, privacy advocates are starting to question whether Zuckerberg really meant his kind words.

Two major changes came to light this week with regard to Facebook’s preparations for the European Union’s General Data Protection Regulation, or GDPR, which takes effect on May 25. First, Reuters reported that the company changed the governance of its terms of service agreement for all users not in Europe — 1.5 billion of them, in Africa, Asia, Australia and Latin American — away from Ireland, the company’s international headquarters. The move puts these users outside of the E.U.’s jurisdiction.

Second, Facebook introduced a new “privacy experience” in which users are asked to review their settings in accordance with the GDPR. Users will be prompted to go through a series of menus and decide how Facebook can target them with ads.

Both moves have been met with skepticism. Jason Kint, CEO of the online publishing trade association Digital Content Next and a vocal Facebook critic, said Facebook is moving to ensure its business is not hit by the regulatory changes.

“Facebook is doing as much as they can to protect their revenue,” Kint said. “Ninety-eight percent of their revenue is being tied to being able to collect as much data as possible to target audiences. Any raising of the bar has a negative impact on their business and has risk for them.”

The General Data Protection Regulation was passed in 2016 and companies were given two years to become compliant before regulators begin enforcing rules about the types of data companies can collect and store. Users are also given ownership of their data, affording them the right, in some cases, to request that it be deleted. Additionally, all data breaches must be reported within 72 hours.

Those changes are forcing a variety of companies to change their systems and their terms of service. Facebook is no different. The moves Facebook have taken so far indicate how high the stakes are under Europe’s new rules. If companies run afoul of regulators, they could be slapped with fines as high as 4 percent of their yearly revenue — which for Facebook could be billions of dollars.

Dipayan Ghosh, a fellow at the think tank New America and a former privacy and public policy adviser at Facebook, said the company’s move made sense in order to limit the risk posed by GDPR.

"Facebook's pivot in transferring 1.5 billion users' data onto U.S. shores — a decision that is apparently no different from those made by other U.S. internet firms — is premised on the idea of damage limitation,” Ghosh wrote in an email. “While we can expect the way that those users will be treated by the company to be no different from any other Facebook user, the company is clearly instituting this momentous change to control its global liabilities."

Stephen Deadman, Facebook’s deputy chief global privacy officer, said in a statement that the company’s change in its service agreement would not preclude users from the protections that GDPR implements.

“The GDPR and E.U. consumer law set out specific rules for terms and data policies which we have incorporated for E.U. users,” Deadman said. “We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”

Facebook rolled out a first look at those protections this week. Users are presented with a series of screens that ask for consent in accordance with GDPR. That system has already received criticism from pundits and journalists who point out that the system appeared designed to get users to agree with old settings as opposed to switching to new options that allow them to limit how ads are targeted at them.

“But with a design that encourages rapidly hitting the ‘Agree’ button, a lack of granular controls, a laughably cheatable parental consent request for teens and an aesthetic overhaul of Download Your Information that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data,” wrote TechCrunch’s Josh Constine in a review of the new privacy controls.

Facebook’s move to take 1.5 billion users out from under GDPR’s umbrella combined with its new terms of consent system would appear to contradict some of the statements Zuckerberg has made about GDPR.

During a rare phone conference with reporters this month, Zuckerberg said he believes “regulations like GDPR are very positive.” He made similar comments during his two days of testimony before Congress.

“We intend to make all the same controls and settings available everywhere, not just in Europe,” he said. “Is it going to be exactly the same format? Probably not. We need to figure out what makes sense in different markets with the different laws and different places.”

“But — let me repeat this — we’ll make all controls and settings the same everywhere, not just in Europe,” Zuckerberg said.

But moving the terms of service agreement outside of Europe for 1.5 billion people means those users won’t be able to file complaints with European regulators. It’s a win for Facebook, since it will limit its exposure to possible fines.

“Mark is as flimsy as he has ever been on consumer privacy,” Kint said. “That is what we are witnessing in their discussion around GDPR.”

Ghosh said that tech companies in general have shown that they are working to avoid Europe’s GDPR rule and that individual countries will need to implement their own rules.

"The industry's actions make it starkly clear that if those countries around the world whose citizens' data is being transposed to the United States wish to give their people the same level of rights as Europeans now have in the face of Silicon Valley, they will need to pass national privacy standards of their own,” Ghosh said.

Navneet Mathur, senior director of global solutions at Neo4j, a data management company, said Facebook’s handling of GDPR shows that the law has created a “fundamental problem” for its business model, prompting the last-minute moves to ensure that Facebook still has options for collecting precious user data.

“I think they are just moving the cheese,” Mathur said. “Now that Europe has clamped down on these forms of data, they are looking for other ways where the regulation is not clear.”