Facebook puts 1.5bn users on a boat from Ireland to California
Social media giant continues its loving embrace of GDPR privacy rules
Facebook is quietly changing its terms of service to shift 1.5 billion users away from Europe to the US while continuing to claim it wants to offer greater privacy protections.
The change covers 70 per cent of its users – based in Africa, Asia, Australasia and Latin/South America – and effectively removes legal protections over personal data that the European Union's General Data Protection Regulation (GDPR) will provide from May 25.
Earlier this week, Facebook outlined new privacy settings to bring it in line with the GDPR, insisting that the new law "was an opportunity to invest even more heavily in privacy" and that it was going to go "beyond our obligations to build new and improved privacy experiences for everyone on Facebook."
It strongly implied that it would offer GDPR protections to everyone, penning a blog post this week titled: "Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live."
But that turned out to be yet another Facebook half-truth with the company going to enormous lengths to stop people from cutting it off from the valuable personal data that it packages and sells to third-parties, and which accounts for the bulk of its revenues.
Facebook's CEO Mark Zuckerberg has repeatedly dodged the question over what the company will do when it comes to the new privacy requirements and whether it will extend them to non-Europeans.
“We're still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he said earlier this month to Reuters.
When asked the same question a few weeks later by lawmakers in the US Congress, Zuckerberg appeared to say that Facebook would extend GDPR to all users but commentators noticed that he used the terms "controls" rather than "protections."
And then earlier this week, it was revealed that Facebook has decided to repeat its usual formula of introducing a whole host of controls that it turns on whenever possible and requires users to individually locate and turn off.
Facebook previews GDPR privacy tools and, yep, it's the same old BSREAD MORE
With the decision to legally shift the bulk of its users from European protections to much looser US privacy laws, we have the final word on how Facebook intends to apply European privacy protections outside of the continent: namely, it won't.
That said, Facebook does have part of a legitimate argument in shifting non-Europeans away from its European terms of service since the GDPR will require some changes that won't make sense outside the continent: such as the concept of a Data Protection Officer, or new requirements on moving data outside Europe.
Currently, Facebook has two corporate headquarters: one in California, where it is based, and an international one in Dublin, Ireland – where it receives preferential tax treatment.
US and Canadian users are governed by terms of service from the California HQ and everyone else is covered by the Irish terms of service. Next month, just prior to the GDPR deadline, Facebook will introduce new terms of service that retain Europeans under the Irish terms of service but put everyone else under the US terms.
So, um, yeah
Facebook has acknowledged its plan to shift the legal jurisdiction of 1.5 billion users, but in response to questions has repeated the line that it "applies the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland." It claims there is no tax implication to the move.
Under GDPR, companies are obliged to get the explicit consent of their customers to make their personal data available to third parties, typically advertisers. If they don't they face enormous fines of up to €20 million or 4 per cent of the company’s global annual turnover, whichever is higher. In Facebook's case that would be a staggering $1.6bn.
Considering Facebook's business model it could be seen as good corporate practice to limit its potential liability. But it is hard to tally that approach with the weasel words it continue to use about protecting its users' privacy. It's almost as if the company is worried that if it was completely honest about what it does with its users information they would leave the service in droves. ®
Sponsored: Becoming a Pragmatic Security Leader