Facebook is struggling with the EU's stricter privacy laws
Facebook seems caught off guard by rules that have been in the pipeline for six years.
There's never an ideal time for your multi-billion dollar company to take center stage in one of the most high-profile privacy scandals ever seen, but for Mark Zuckerberg, the Cambridge Analytica fiasco couldn't have come at a worse point. As Europe readies itself for the General Data Protection Regulation (GDPR) coming into force on May 25, all eyes are on Facebook, scrutinizing its every move ahead of the biggest web privacy shake up of our time. And it's not done a great job of instilling confidence so far.
GDPR represents stronger, unified data protection laws across the EU. Under the regulation, organizations are held to account for the personal data they hold and collect from people, and it enshrines the "right to be forgotten" laws as the "right to erasure." Individuals can request a copy of the personal information any company keeps on them, and find out what data is being processed and for what purpose. They'll also get the right to data portability, which means they can take data from one company and give it to another. The law, which is largely focused on data consent, is designed to be a "one-stop-shop" for companies operating across the EU, and those in breach of the legislation can be fined up to €20 million, or four percent of annual global turnover.
GDPR has been six years in the making, so it's not as if the legislation has snuck up on anyone. Yet Facebook still seems unsure about how it's going to manage the changes across its entire operations. Evidently, it has to comply with GDPR within the EU, so many assumed the law would form the basis of Facebook's global privacy policy going forward. However, in a phone interview with Reuters earlier this week, Zuckerberg said he agreed "in spirit" with the EU law, but wouldn't confirm whether the company would use it as a standard across the world, instead commenting: "We're still nailing down details on this, but it should directionally be, in spirit, the whole thing."
The implication was that North American Facebook users would get a lower standard of data protection than their European counterparts -- which naturally set the internet alight -- but Zuckerberg was quick to refute Reuters' claims. In a later conference call with reporters, he made it crystal clear that Facebook will "make all controls and settings the same everywhere, not just in Europe."
The problem is, implementing a raft of GDPR-friendly "controls and settings" is not necessarily the same as adhering to GDPR's actual principles of data control, consent, portability and erasure, leading some to question whether Zuckerberg is simply using careful wording to skirt around the issue of global GDPR compliance. Engadget reached out to Facebook for clarity on this and was repeatedly directed to a transcript of the recent call where Zuckerberg ambiguously stated, "We need to figure out what makes sense in different markets with the different laws and different places."
And in fairness, this statement holds some truth. While Facebook has now confirmed its intention to roll out GDPR benchmarks (not just "controls and settings") globally, some existing laws around the world do conflict with the upcoming EU legislation. How Facebook handles this remains to be seen. It's more important than ever before that the company is completely transparent with its privacy and data policies. Muddying the waters with vague statements and ambiguous announcements only jeopardises what little faith its user base has left in it.
