Facebook and the spirit of the law
In a move designed to reduce the impact on its activities of the EU’s General Data Protection Regulation (GDPR), which comes into force on May 25, Facebook is about to switch the terms of service for around 70% of its 1.9 billion users from those provided by its Ireland-based headquarters to those applied by its US offices.
The move jars with Mark Zuckerberg’s comments shortly before appearing before the US Senate Committee on Commerce, Science and Transport earlier this month, when he seemed to say that his company would apply the GDPR’s privacy framework worldwide.
Instead, Facebook now says the privacy of its users living outside the EU will be protected by controls in the same “spirit” as the GDPR, but that will not be subject to the scrutiny of the EU — with which the company has had numerous run-ins — and therefore it will not be exposed to fines of up to 4% of its global annual revenue for infractions.
The doubts expressed in some quarters about Zuckerberg’s sincerity at the time now seem to be justified: Facebook will work within the laws of the countries it operates in, instead of applying the GDPR universally. This means that outside Europe, the company only has to “try to approach” EU protection levels, but if it fails, it will not face any sanctions. So, until the US government or others follow the EU’s lead, which seems unlikely for the moment, Facebook can continue to take advantage of legislation that allows it to use people’s data as it sees fit, which is not what Zuckerberg seemed to be suggesting after his latest mea culpa in the wake of the Cambridge Analytica scandal.
If Zuckerberg really wants to change things at Facebook, he needs to create the mechanisms and outward signs that would indicate this. Instead, his first move in response to new laws aimed at protecting his users is remove those users from that protection, which could be interpreted as him not taking the idea of change too seriously, and seems more in line with a damage limitation exercise. Let’s be clear: providing controls in the “spirit” of the EU legislation is not the same as applying those rules universally. The former is the law, the latter is an interpretation of the law, and on the basis of Facebook’s history, its interpretation of the GDPR will likely bear little resemblance to the real thing, and why should it, when it is free to interpret it as it sees fit? Facebook’s goodwill regarding promise to better protect the privacy of its users may well prove insufficient, but we’ll have to see. That said, as a first response to its latest scandal, the signs are not encouraging.
(En español, aquí)