There is no way to sweeten this message: Facebook founder Mark Zuckerberg believes that users of his platform in North America deserve a lower data protection standard than people anywhere in the world.
In a telephone interview with Reuters, yesterday, Mark Zuckerberg refused to commit to the universal implementation of changes to the platform that are necessary to comply with the incoming General Data Protection Regulation (GDPR) of the European Union.
Rather, he said the company was working on a version of the law that would bring some European privacy guarantees around the world, and refused to specify to the journalist what parts of the law would not be spread around the world.
"We are still looking for details about this, but it should be, in a directional sense, in essence, everything," Reuters quotes Zuckerberg in the GDPR question.
This is a subtle line change. Facebook's leadership previously implied that the product changes it is making to comply with GDPR's incoming data protection standard would be extended globally.
In January, COO Sheryl Sandberg said the company would launch "a new privacy center around the world," putting "the central privacy settings for Facebook in one place and making it easier for people to manage their data."
A Facebook spokeswoman confirmed to TechCrunch today that the changes she revealed late last month – including finally reducing her historical configuration from 20 screens to just one – were what Sandberg was talking about in those earlier comments. Ergo, even those basic adjustments are a direct result of EU regulation.
However, that universal privacy center seems to be only part of the changes that Facebook needs to make to comply with the new EU standard. And not all of these changes will be available to US Facebook users. UU And Canada, according to Zuckerberg's observations.
In a blog about the new privacy center late last month, Facebook marked additional inbound changes to its terms of service, including "commitments" for users, and the language it uses to explain how people's data is processed. .
He said that these incoming changes would be "about transparency."
And, in fact, transparency is a key underlying principle of GDPR, which imposes requirements on data controllers to clearly explain to people what personal data they intend to collect and for what exact purpose, in order to obtain informed consent to process the data. data (or, if not consent, another valid basis is required for data processing to be legal).
What is not clear is exactly what parts of GDPR Facebook believe can be safely separated for users on their platform and not risk mishandling accidentally the personal data of an international user (let's say he could be visiting or living in the US . UU.) And run the risk of privacy complaints and, ultimately, financial penalties (penalties for violations can be very large according to GDPR).
I am quite confused about how Facebook will reliably distinguish between EU users and non-EU users, to build separate levels of granular and revocable optional consent controls that comply with GDPR from another level of voluntary opt-out consent controls .
– David Carroll ? (@profcarroll) April 4, 2018
Facebook did not answer additional questions about its intentions of GDPR compliance, so we can speculate at this stage.
It is even a risky strategy in pure public relations terms. As we wrote in January in our GDPR explainer: "[S] some US companies may prefer to avoid the hassle and expense of fragmenting their data management processes … But doing so means managing multiple data regimes. at least he risks bad public relations if it is revealed that he deliberately offers a lower privacy standard to the users of his home than to customers abroad. "
It is safe to say, calls for an equal GDPR application in the US. UU They have already begun …
This is a Zuck test to see how much Americans and Facebook Congress will demand.
We must rise to this test and demand the equal application of GDPR in the US. UU (Of all the major technology companies).
This is concrete and can be done at this time since it is already built for Europe. https://t.co/wSG8BknJeE
– Gabriel Weinberg (@yegg) April 3, 2018
On the speculation front, the consent under GDPR to process personal data means to offer individuals "genuine options and control", as explained by the UK data control agency. So, maybe Facebook does not feel comfortable giving users in North America that kind of autonomy to revoke specific consents at will.
Or maybe Zuckerberg is not willing to allow Americans to request their personal data in a proper way so they can go and connect it to a rival service. (Although it already allows users to download their data).
Or it could be that Facebook is not comfortable with what GDPR has to say about profiles, which is, after all, the core of the company's ad targeting business model.
The transparency requirements of the regulation extend to the creation of profiles, which means that Facebook will have to inform users (at least their international users) about the profiles when they use the platform, and explain what it means to them .
So, maybe Zuckerberg thinks that Americans might refuse if they really understood how penetratingly they track when they have to explain exactly what they are doing, as some Facebook users did recently, when they discovered that Messenger had been recording their call and SMS metadata. , for example .
EU regulation also imposes some restrictions on the practice of using data to profile individuals if the data is confidential, such as health data, political beliefs, religious affiliation, etc., which require an even higher standard of explicit consent to do so. .
And, of course, with the Cambridge Analytica data abuse scandal, we have seen how massive amounts of Facebook data were used expressly to try to infer the political beliefs of American voters.
Let's not forget that Facebook itself uses its own resources to involve politicians and use its platform for campaigns as well. So maybe you worry that you could risk losing this piece of elite business in the US. UU If American Facebook users have to give their explicit consent to their political inclinations being a fair game for advertising purposes. (And when many people would probably say no, thank you, Mark, that's none of your business & # 39;).
But, as I say, we can only speculate what kind of GDPR carve outs Zuckerberg has planned for users in their homeland at this stage. The regulation goes into effect on May 25, so Facebook users do not have to wait long to play a game of detecting the discrepancy in the privacy standard.
What is more curious about the fact that the founder of Facebook has objected to a universal application of GDPR is the opportune moment, in the middle of the biggest debatable privacy scandal in the history of the company.
And if he feels that the privacy of Americans can be handled as a backburner consideration even now, by revealing that he plans to work really hard to make sure that national Facebook users have a second level of privacy below the rest of the world, Well, you have to question the authenticity of his recent apology for the "mistakes" that, he claimed, led to the Cambridge Analytica scandal.
Facebook was warned about the permissions of the application in 2011, as we have previously reported. However, it did not close the developer access that was used to pass personal data from more than 50 million Facebook users to Cambridge Analytica until mid-2015. So, frankly, if that was a mistake, it was very, very slow.
Some might say that it is more like reluctance to comply with data protection standards.
Here is one of the leading architects of GDPR – European MEP Jan Philipp Albrecht – asking the key question now: How much time will American consumers spend going to the privacy coach class? To you…
#Facebook CEO #Zuckerberg announces that his business will apply the EU representation of #GDPR to Ireland only. This means that the entire world will benefit from a high protection of the EU against privacy, with the exception of Canada and the United States. How long will consumers take this? ?
– Jan Philipp Albrecht (@JanAlbrecht) April 4, 2018