Facebook to exclude North American users from some privacy enhancements

There’s no way to sugarcoat this message: Facebook’s founder Mark Zuckerberg believes North America users of his platform deserve a lower data protection standard than people everywhere else in the world.

In a phone interview with Reuters yesterday Mark Zuckerberg declined to commit to universally implementing changes to the platform that are necessary to comply with the European Union’s incoming General Data Protection Regulation (GDPR).

Rather, he said the company was working on a version of the law that would bring some European privacy guarantees worldwide — declining to specify to the reporter which parts of the law would not extend worldwide.

“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,”  Reuters quotes Zuckerberg on the GDPR question.

This is a subtle shift of line. Facebook’s leadership has previously implied the product changes it’s making to comply with GDPR’s incoming data protection standard would be extended globally.

Back in January, COO Sheryl Sandberg said the company would be rolling out “a new privacy center globally” — putting “the core privacy settings for Facebook in one place and make it much easier for people to manage their data”.

A spokeswoman for Facebook confirmed to TechCrunch today that the changes it revealed late last month — including finally reducing its historical settings sprawl from 20 screens to just one — were what Sandberg was talking about in those earlier comments. Ergo, even those basic tweaks are a direct result of the EU regulation.

However that universal privacy center looks to be just one portion of the changes Facebook needs to make to comply with the new EU standard. And not all these changes are going to be made available to US and Canadian Facebook users — per Zuckerberg’s remarks.

In a blog about the new privacy center late last month, Facebook flagged additional incoming changes to its terms of service — including “commitments” to users, and the language it uses to explain how it’s processing people’s data.

It said these incoming changes would be “about transparency”.

And indeed transparency is a key underlying principle of GDPR, which places requirements on data controllers to clearly explain to people what personal data they intend to collect and for what exact purpose — in order to gain informed consent for processing the data (or, if not consent, another valid basis is required for the data processing to be legal).

What’s less clear is exactly which portions of GDPR Facebook believes it can safely separate out for users on its platform and not risk accidentally mishandling the personal data of an international user — say who might be visiting or living in the US — thereby running the risk of privacy complaints and, ultimately, financial sanctions (penalties for violations can be very large under GDPR).

Facebook did not respond to additional questions about its GDPR compliance intentions so we can but speculate at this stage.

It’s even just a risky strategy in pure PR terms. As we wrote in January in our GDPR explainer: “[S]ome US companies might prefer to swallow the hassle and expense of fragmenting their data handling processes… But doing so means managing multiple data regimes. And at very least runs the risk of bad PR if you’re outed as deliberately offering a lower privacy standard to your home users vs customers abroad.”

Safe to say, the calls for equal application of GDPR in the US have started already…

On the speculation front, consent under GDPR for processing personal data means offering individuals “genuine choice and control”, as the UK’s data watchdog explains it. So perhaps Facebook isn’t comfortable about giving North American users that kind of autonomy to revoke specific consents at will.

Or maybe Zuckerberg is unwilling to let Americans ask for their personal data in an adequately portable form — so they could go and plug it into a rival service. (Though it does already let users download their data.)

Or it could be that Facebook isn’t comfortable with what GDPR has to say about profiling — which is, after all, the core of the company’s ad targeting business model.

The regulation’s transparency requirements do extend to profiling — meaning Facebook will need to inform (at least its international) users they are being profiled when they use the platform, and explain what it means for them.

So perhaps Zuckerberg thinks Americans might balk if they really understood how pervasively it tracks them when it has to explain exactly what it’s doing — as indeed some Facebook users did recently, when they found out Messenger had been logging their call and SMS metadata, for example.

The EU regulation also places some restrictions on the practice of using data to profile individuals if the data is sensitive data — such as health data, political belief, religious affiliation and so on — requiring an even higher standard of explicit consent for doing so.

And of course, with the Cambridge Analytica data misuse scandal, we’ve seen how massive amounts of Facebook data were expressly used to try to infer US voters’ political beliefs.

Let’s not forget that Facebook itself ploughs its own resources into engaging politicians to use its platform for campaigning too. So perhaps it’s worried it might risk losing this chunk of elite business in the US if American Facebook users have to give explicit consent to their political leanings being fair game for ad targeting purposes. (And when many people would probably say ‘no thanks Mark; that’s none of your business’.)

But, as I say, we can but speculate what kind of GDPR carve outs Zuckerberg has planned for users on his home turf at this stage. The regulation comes into force on May 25 — so Facebookers don’t have long to wait to play a game of ‘spot the privacy standard discrepancy’.

What’s most curious about the Facebook founder demurring on a universal application of GDPR is the timing of it — in the midst of arguably the company’s biggest ever privacy scandal.

At a point when consumer groups are calling for new rules to control social media’s excesses and lawmakers are increasingly willing to listen. “Facebook will gather, analyze and monetize more data from US and other countries outside the GDPR,” Jeffrey Chester, executive director of the Center for Digital Democracy, told us, giving his reaction to Zuckerberg’s comments. “There will be a ongoing weakening of consumer data protection rights as a consequence. NGOs intend to press Facebook, Google and others to adopt any GDPR changes worldwide.”

So if Zuckerberg feels North Americans’ privacy can be handled as a backburner consideration even now, by revealing he plans to work really hard to make sure domestic Facebook users are given second tier privacy status below everyone else in the rest of the world, well, you have to question the authenticity of his recent apology for the “mistakes” that he claimed led to the Cambridge Analytica scandal.

Facebook was actually warned over app permissions in 2011, as we’ve reported before. Yet it did not shut down the developer access that was used to pass personal data on 50M+ Facebook users to Cambridge Analytica until mid 2015. So, frankly, if that was a mistake, it was a very, very, slow moving one.

Some might say it looks rather more like reluctance to comply with data protection standards.

Here’s one of the core architects of GDPR — European MEP Jan Philipp Albrecht — asking the key question now: How long will consumers in North America take being put in privacy coach class? Over to you…

This report was updated with additional comment