Mark Zuckerberg refuted a Reuters story yesterday that said Facebook would not bring Europe’s General Data Protection Regulation privacy safeguards around the world. “Overall I think regulations like this are very positive” Zuckerberg said on a conference call with reporters today. “We intend to make all the same controls available everywhere, not just in Europe.”
Zuckerberg noted that “Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places. But let me repeat this, we’re going to make all the same controls and settings available everywhere, not just in Europe.”
However, some critics believe that adding GDPR “controls and settings” doesn’t necessarily mean also implement GDPR’s rules acround data control, consent, data portability, the right to be forgotten, and the right to know how your data is being processed. The question is whether Zuckerberg’s careful wording will let Facebook offer fewer privacy protections everywhere than GDPR mandates, or whether he truly means all of GDPR will be applied globally.
[Update: 3pm Pacific: A Facebook spokesperson tells TechCrunch that Facebook does have plans to comply with GDPR’s data privacy rules around the world, not just provide GDPR “controls and settings” as Zuckerberg mentioned. For example, Facebook offers the Download Your Information option globally to comply with data portability rules, updated its Data Use Policy today with details on collection practices to comply with the right to know how your data is being processed, and provides opt-outs to comply with consent rules.
Facebook says that some laws elsewhere in the world conflict with GDPR’s new laws for Europe so they can’t be extended everywhere, and that the interface for some of these tools may vary. But overall it seems that Facebook is intent on bringing the same privacy and control afforded by GDPR to everyone.]
GDPR goes into effect on May 25th, and places requirements on data controllers, forcing them to explain to people what personal data they intend to collect and why. It’s focused around consent. Facebook has made its own moves to boost consent for ad targeting. TechCrunch reported that Facebook plans to implement a Custom Audiences Certification Tool that will require businesses to pledge that they had the consent to collect user email addresses and phone numbers that they’re uploading to Facebook for ad targeting.
GDPR also lets users request a copy of their personal information free-of-charge and get a response within a month. It gives people the right to not be subject to significant decisions by businesses that impact their privacy. Users also have some rights to erase their personal data if they withdraw consent or it’s no longer necessary for the reason it was collected. Violations can trigger hefty fines.
Zuckerberg’s statements indicate that the progressive, privacy-first legislation passed in the European Union will benefit everyone. The inability to make unilateral changes to people’s privacy and the right to erasure could hamper some of Facebook’s ability to roll out new products and require it to build stronger systems to comply with user requests. But given how much Facebook earns from our data, making it jump through some hoops to give users more agency seems like a reasonable tradeoff.
For more on GDPR, check out our explainer: