In my opinion, Facebook is highly unlikely to need any new permissions, as it is a free service provided in return for users being targeted for advertising.
Has decentralised technology already outdated the GDPR?
Nick Halstead
881

I’m not so sure about this interpretation. GDPR Article 3:2(a) says the regulation applies where:

“the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or”

So free service or not free service, the same rules will apply.

And I would actually guess that Facebook and others will need to get new explicit consent from EU users, as per (among others) Recital 32:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”

So in my reading, if Facebook doesn’t have a record of explicit opt-in consent by users for each purpose, they may be in trouble. See also: Art. 6, Lawfulness of Processing.

In conclusion, I would say that the regulation is pretty specifically intended to counter the types of unlimited personal data usage huge companies like Facebook are built on. And even smaller companies targeting EU users will have to comply: