In the wake of the Cambridge Analytica scandal, Mark Zuckerberg was at pains to emphasize how eager he was to protect users’ personal information — including supporting a piece of landmark European Union legislation on data privacy. At the time, he told Reuters reporters that he supported that act “in spirit” and said that Facebook was working to create a similar version of the law.
In reality however, Zuckerberg’s words were mostly hollow. On Thursday, it emerged that Facebook was moving 1.5 billion international user accounts out of reach of the new privacy law, which is scheduled to go into effect on May 25. Instead, Facebook has decided to move the responsibility for all non-U.S. and Canadian accounts from Ireland — where the upcoming General Data Protection Regulation (GDPR) would have jurisdiction — to Facebook’s home in California, which is not subject to the new rules.
The company maintains that the same privacy protections apply to everyone no matter where they live. But privacy researcher Lukasz Olejnik said told The Guardian that this change — which was noted in a Facebook terms and conditions tweak — will have major ramifications.
“This is a major and unprecedented change in the data privacy landscape,” he said. “This change will amount to the reduction for privacy guarantees and the rights of users, with a number of ramifications, notably for consent requirements.”
This isn’t the only way that Facebook has sought to usurp the GDPR. On Tuesday, an email obtained by Politico, sent hours before Zuckerberg was to testify in front of lawmakers in Congress, showed that the company had asked conservative groups for help in coming up with ideas to criticize the GDPR.
“I know it’s not lost on anyone in the free market community that with the GDPR on the way in Europe and the rapidly changing discussions here in Washington, there’s an increased chance Washington will rush to regulate,” Lori Moylan, a Facebook public policy manager, wrote. “It would be incredibly helpful for our privacy team to hear from you.”
When it’s implemented, the GDPR will make sweeping changes to the way tech giants like Facebook collect data and how they obtain consent from their users. People residing in European Union member nations will now also have expanded rights to obtain data a company collects about them, as well as the “right to be forgotten” — a rule requiring companies to delete the data they collect on a person if the person asks. Companies will also only be able to collect data for specific business purposes.
If a company like Facebook, Google or Amazon is found to have violated the GDPR they face fines of up to 4 percent of their global revenue, which in Facebook’s case could mean upwards of $1.5 billion.
Facebook has introduced privacy safeguards for users around the world that ensure it complies with the GDPR, asking users explicitly to review important privacy information before features like facial recognition are enabled, for example. But as the company’s latest move shows, Facebook is extremely invested in avoiding the European regulation if it can.