As the May 25 deadline for compliance with the EU’s updated privacy framework fast approaches Facebook is continuing to PR the changes it’s making to try to meet the new data protection standard — and steer away from the specter of fines that can scale as high as 4% of a company’s global turnover.
Today it’s published — for the first time — what it dubs a set of “privacy principles” that it says guide its approach to handling users’ information, making grand claims like: “We give you control of your privacy“, “You own and can delete your information” and “We are accountable“.
In truth it’s just cribbing chunks of the GDPR and claiming the regulation’s principles as its own. So full marks for spin there.
The EU’s sharply tightening enforcement regime for data protection also explains why Facebook hasn’t felt the need to make these kind of claims in public before.
Indeed, myriad historical snafus show the company pushing in the polar opposite direction where user data and privacy is concerned. (And in more recent history too — e.g. this, this or this, to point to just a few of many counter examples to these newly published ‘principles’.)
No matter, the days of Facebook feeling free to play fast and loose with user data are dwindling — thanks to regulatory interventions.
Under GDPR, the new game Facebook will need to play is gaming trust: Which it to say that it will need to make users feel they trust its brand to protect their privacy and therefore make them feel happy to consent to the company processing their data (rather than asking it to delete it). So PR and carefully packaged info-messaging to users is going to be increasingly important for Facebook’s business, going forward.
To wit: The company said today it will be launching an educational campaign aimed at helping users understand and exercise their rights.
This will be run via explainer videos (featuring the likes of cartoon chameleons) dropped into the News Feed to — as Facebook tells it — give users “information on important privacy topics like how to control what information Facebook uses to show you ads, how to review and delete old posts, and even what it means to delete your account”.
It also said it will be pushing out reminders to Facebookers in the EU to take its existing “privacy check-up” feature — to “make sure they feel comfortable with what they are sharing with who”.
These reminders will begin today and roll out over the week, it says. (Facebook users in the US presumably aren’t getting this special extra privacy check nudge at this time.)
These moves follow an announcement last week, by COO Sheryl Sandberg, saying Facebook would be launching an overhauled global privacy settings hub. Although there’s still no word on exactly when that will launch. Nor what exactly it will look like (and, as ever with privacy and data protection, the devil really is in the detail).
Nor, indeed, whether it really will be universal — “global” — i.e. will it offer identical controls to users in the EU and the US, for example.
Facebook said today that the feature will put “core privacy settings in a single place”. “We’re designing this based on feedback from people, policymakers and privacy experts around the world,” it added. But whether those “core privacy” settings will vary depending on where in the world a Facebook user hails from will be one to watch.
The company has also revealed it’s running a series of data protection workshops throughout this year, aimed at small and medium businesses — starting in Europe, with a stated focus on GDPR.
The first workshop was held in Brussels last week and Facebook has now published a guide for frequently asked questions off the back of it.
Its educational largess around the EU regulations can be explained by the fact that the risks attached to GDPR’s supersized penalties also inflate the liabilities for data controllers (like Facebook) that share user data with third parties for processing. Such as, in its case, if it shares user data with advertisers.
“Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure data is processed safely and legally,” it writes in this FAQ.
Though it also notes there may be instances in which its business is acting as a data processor (such as when it’s supplying its custom audiences product or its workplace premium product).
However the FAQ confirms that if advertisers are using its on-platform advertising tools then Facebook remains the data controller — and is therefore responsible for ensuring GDPR compliance (“including by providing notice and establishing a legal basis”).
Another question (self-)posed in the FAQ asks whether, under GDPR, Facebook sees any incoming restrictions in the way brands use its ad platform and tools?
Its answer to this suggests it does — in instances where advertisers are providing (and thus controlling) the user data for targeting the ads on its platform (via Facebook’s data file Custom Audiences feature) — though it’s not exactly spelling out the implications for advertisers in this situation.
“When an advertiser is the data controller (e.g. data file custom audiences), they must ensure compliance with applicable law, including ensuring a relevant legal basis (for example, consent, contractual necessity or legitimate interests),” Facebook writes here, in minimalist prose.
The ‘not-long-enough;wtf-does-that-actually-mean?’ of that is, under GDPR, advertisers that had been attaching their customer databases to Facebook’s ad targeting tools without their customers really knowing they were doing so will — from May 25, 2018 — need to tell their customers they are doing that and get them to agree to being targeted with ads on Facebook (and stop doing it if they don’t agree — which seems pretty highly likely).
Or else be very confident they can show another valid legal basis — i.e. other than consent — for ad-stalking their customers when they use Facebook.
Of course Facebook itself faces a similar risk — i.e. of Facebook users not consenting to it targeting them with ads itself, powered by their personal data.
But the company is likely to be far better resourced than many of its advertisers to work to gain that consent (via — for example — slick, feel-good ‘infomercial’ videos seeded in the Facebook News Feed).
It also of course controls a hugely powerful info-targeting platform which means it will more easily be able to figure out — maybe even A/B test! — how best to position its ‘trust us’ brand messaging to win over its users.
So how far this ‘game of trust’ can really be judged to be fairly weighted from a consumer point of view when the platform in question is so very powerful is a pretty existential question for the regulation. But we won’t have too long to start to see how effective (or otherwise) GDPR is at forging a lasting link between ‘data’ and ‘protection’.