Facebook urged to make GDPR its “baseline standard” globally


privacy please
Image Credits: Josh hallett (opens in a new window) / Flickr (opens in a new window) under a CC BY 2.0 (opens in a new window) license.

Facebook is facing calls from consumer groups to make the European Union’s incoming GDPR data protection framework the “baseline standard for all Facebook services”.

The update to the bloc’s data protection framework is intended to strengthen consumers’ control over how their personal data is used by bolstering transparency and consent requirements, and beefing up penalties for data breaches and privacy violations.

In an open letter addressed to founder Mark Zuckerberg, a coalition of US and EU consumer and privacy rights groups urges the company to “confirm your company’s commitment to global compliance with the GDPR and provide specific details on how the company plans to implement these changes in your testimony before the US Congress this week”.

The letter is written by the Trans Atlantic Consumer Dialogue, and co-signed by Jeffrey Chester, the executive director of the Center for Digital Democracy in the US and Finn Lützow-Holm Myrstad, the head of the digital services section at the Norwegian Consumer Council.

“The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process,” they write. “The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located.

“We favor the continued growth of the digital economy and we strongly support innovation. The unregulated collection and use of personal data threatens this future. Data breaches, identity theft, cyber-attack, and financial fraud are all on the rise. The vast collection of personal data has also diminished competition. And the targeting of internet users, based on detailed and secret profiling with opaque algorithms, threatens not only consumer privacy but also democratic institutions.”

Zuckerberg caused confusion about Facebook’s intentions towards GDPR last week when he refused to confirm whether the company would apply the same compliance measures for users in North America — suggesting domestic and Canadian Facebookers, whose data is processed in the US, rather than Ireland (where its international HQ is based), would be subject to lower privacy standards than all other users (whose data is processed within the EU) after May 25 when GDPR comes into force.

In a subsequent conference call with reporters, Zuckerberg further fogged the issue by saying Facebook intends to “make all the same controls available everywhere, not just in Europe” — yet he went on to caveat that by adding: “Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places.”

Privacy experts were quick to point out that “controls and settings” are just one component of the data protection regulation. If Facebook is truly going to apply GDPR universally it will need to give every Facebook user the same high privacy and data protection standards that GDPR mandates for EU citizens — such as by providing users with the right to view, amend and delete personal data it holds on them; and the right to obtain a copy of this personal data in a portable format.

Facebook does currently provide some user data on request — but this is by no means comprehensive. For example it only provides an eight-week snapshot of information to users about which advertisers have told it they have a user’s consent to process their information.

In denying a more fulsome fulfillment of what’s known in Europe as a ‘subject access request’, the company told one requester, Paul-Olivier Dehaye, the co-founder of PersonalData.IO, that it would involve “disproportionate effort” to fulfill his request — invoking an exception in Irish law in order to circumvent current EU privacy laws.

“[Facebook] are really arguing ‘we are too big to comply with data protection law’,” Dehaye told a UK parliamentary committee last month, discussing how difficult it has been to get the company to divulge information it holds about him. “The costs would be too high for us. Which is mindboggling that they wouldn’t see the direction they’re going there. Do they really want to make that argument?”

Whether that situation changes once GDPR is in force remains to be seen.

The new framework at least introduces a regime of much larger penalties for privacy violations — beefing up enforcement with maximum fines of up to 4% of a company’s global annual turnover. So the legal risks of trying to circumvent EU data protection law will inflate substantially in just over a month.

And Facebook has already made some changes ahead of GDPR coming into force (and likely to try to comply with the new standard) — announcing it’s shutting down a partnership with major offline and online data brokers, for example.

“Consumer groups and privacy groups, human rights groups, civil rights groups will all probably be watching how GDPR is implemented,” Finn Lützow-Holm Myrstad tells TechCrunch. “And will be ready to probably go to court to establish that these are fundamental rights for European citizens at the moment. So we’re definitely going to pay attention.

“But obviously we really want the industry to work with us and to take this seriously because if they don’t there will be a very negative spiral of court cases and a chilling effect for consumers because they will be afraid of using these services. And they will be caught in the middle because of the lack of options that they have when it comes to these services. And I don’t think that’s good for anyone. So we really hope that this is sign of change — real change — from Facebook.”

The company remains under huge pressure following revelations about how much Facebook user information was passed to a controversial political consultancy, Cambridge Analytica, by a developer using its platform to deploy a quiz app as a vehicle for harvesting personal data without most users’ knowledge or consent.

Facebook has said as many as 87M users could have had their data passed to Cambridge Analytica as a result of them or their friends downloading the app in 2014.

Zuckerberg is due to give testimony on this and likely wider issues related to privacy and data protection on his platform to US politicians this week.

One line of questioning might well focus on why Facebook has so studiously ignored years of warnings that it was not adequately locking down access to user data on its platform.

The Norwegian Consumer Council actually filed a complaint about Facebook app permissions all the way back in 2010, writing presciently then: “Third-party applications should only be given access to the information they need in order to function. Facebook should not be able to renounce responsibility for the way in which third parties collect, store or use personal data. As a facilitator and operator Facebook must take direct responsibility for the applications available on the platform.”

Myrstad says Facebook’s historical response to these sort of privacy complaints has been “sadly very, very little”.

On the contrary, he says the company has made it “really, really difficult to opt out of their tracking, their profiling”. He also describes Facebook’s default settings as “a nightmare” for people to understand. In terms of GDPR compliance, he says he believes Facebook will need to make changes to their business model and alter default settings — at very least for users whose data gets processed via Facebook Ireland.

“They will definitely need to have much better consent mechanisms than they do today. Much less take it or leave it,” says Myrstad. “I think there will be a discussion also in Europe, and I think it’s not yet written in stone yet how this will turn out, but we definitely also think that the amount of tracking that Facebook does by default on other websites will need an actual explicit consent — which there is not today. It’s not possible to opt out of the tracking.

“You can opt out of behavioral advertising but that’s not the same as opting out from tracking. And I think the way they do that today is not in line with GDPR… I think they will actually struggle [to comply]. They’re already struggling under current law in Europe. So they will need to make some fundamental changes to their business model.”

At the time of writing Facebook had not responded to a request for comment.

More TechCrunch

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

2 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

2 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.