Facebook’s had a month of hell. Ever since reports surfaced that British data firm Cambridge Analytica got access to the personal information of nearly 87 million Facebook users, the social media giant has been struggling with the massively increased scrutiny of its data collection and privacy protection policies. The company has announced a bunch of changes and updates in the last few weeks in response, and CEO and Founder Mark Zuckerberg testified in Congressional hearings last week that the company would do more to protect the data of its users. However, a new report by Reuters has revealed that Facebook might actually be trying to avoid stricter privacy regulation from applying to a huge chunk of its users.
According to the report, Facebook plans to update its terms-of-service (ToS) in the near future to restrict Europe’s new General Data Protection Regulation (GDPR) rules for only European users. Based on this, Facebook users in Africa, Asia, Australia, and Latin America will not be able to file complaints under the GDPR’s stricter guidelines in case of violation of their data privacy. Instead, they will be subject to regulation under US law, which is noticeably much laxer. As Reuters notes, this removes a huge potential liability for Facebook.
The GDPR rules come into effect on May 25, 2018, and require companies to seek users’ consent before collecting, using, and sharing their data with advertisers and other partners, as well as disclose data breaches promptly. They also impose heavy fines in case companies are unable to comply and keep their users’ data safe – companies could be fined up to 4 percent of their global annual revenue or a maximum of €20 million (nearly US$25 million in today’s exchange rates). Facebook will no doubt be eager to avoid a repeat of a Cambridge Analytica scenario which could see it forced to cough up millions of dollars for not protecting the data of its users.
As of December 2017, Facebook had 239 million users in the United States and Canada, 370 million in Europe, and 1.52 billion users across the rest of the world. This means that Facebook’s proposed ToS changes could impact nearly 70 percent of its global user base. Earlier in April, Mark Zuckerberg said that Facebook aims to implement data privacy policies to comply with GDPR globally “in spirit”, but stopped short of committing to the new rules as the standard for his platform.
The Reuters report notes, “The company said its rationale for the change was related to the European Union’s mandated privacy notices, ‘because EU law requires specific language.’ For example, the company said, the new EU law requires specific legal terminology about the legal basis for processing data which does not exist in U.S. law.”
In a blog post published earlier today, Facebook’s VP and Chief Privacy Officer, Policy, Erin Egan, and VP and Deputy General Counsel Ashlie Beringer wrote, “While the substance of our data policy is the same globally, people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR. We want to be clear that there is nothing different about the controls and protections we offer around the world...People in the EU will start seeing these requests this week to ensure they have made their choices ahead of GDPR coming into effect on May 25. As part of our phased approach, people in the rest of the world will be asked to make their choices on a slightly later schedule, and we’ll present the information in the ways that make the most sense for other regions.”
Facebook, for its part, downplayed the impact of its ToS updates to Reuters, with a company spokesperson insisting “we apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland.” However, whether this will translate into equal data protection rights and policies for Facebook users everywhere, remains to be seen.