The European Union’s General Data Protection Regulation (GDPR), a strict set of laws governing what data tech companies can collect on users, requiring them to seek explicit opt-in consent before doing so, and promptly disclose breaches, goes into effect on May 25th, 2018. Currently, the GDPR would require Facebook to apply these changes to 1.9 billion users.
It wants to exclude 1.5 billion of those users.
Per Reuters, Facebook users outside the US and Canada are currently subject to whatever regulations apply to the company’s foreign headquarters in Ireland—where it is situated to take advantage of generous tax rules other countries have labelled a tax haven. Whoops! But the company is planning to try and exempt all of those users outside the EU, Reuters reported on Wednesday, in what seems like an attempt to make an end run around the privacy rules and dodge potential fines as well:
Facebook members outside the United States and Canada, whether they know it or not, are currently governed by terms of service agreed with the company’s international headquarters in Ireland.
Next month, Facebook is planning to make that the case for only European users, meaning 1.5 billion members in Africa, Asia, Australia and Latin America will not fall under the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25.
The previously unreported move, which Facebook confirmed to Reuters on Tuesday, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.
That removes a huge potential liability for Facebook, as the new EU law allows for fines of up to 4 percent of global annual revenue for infractions, which in Facebook’s case could mean billions of dollars.
Facebook is under a large amount of scrutiny following the Cambridge Analytica scandal, in which a shady election data firm partnered with an app that collected data on up to or more than 87 million users without their consent. (Facebook says this was a violation of the policies, though it seems an awful lot like the company put a low priority on such violations in the service of furthering its ad business.) It’s repeatedly insisted that the tweaks it has made to its data-sharing policies since will prevent future incidents, though it’s admitted that all users should assume their public data has already been scraped due to flaws in their search and account process, and that other apps may exist that harvested large amounts of ostensibly secured data in previous years.
GDPR-style regulations would make such future Cambridge Analyticas a lot less likely to happen, but also might threaten Facebook’s bottom line. So Facebook predictably downplayed its attempt to dodge them to Reuters, trotting out a line it’s used before when talking about the potential application of GDPR-style protections in the US: Those 1.4 billion users will have their data treated the same as EU users in spirit.
“We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland,” Facebook told Reuters in a statement.
Reuters wrote that the company’s official, vague rationale for the change is the vagaries of European law, not its desire to keep gobbling up user data with few checks on the process:
The company said its rationale for the change was related to the European Union’s mandated privacy notices, “because EU law requires specific language.” For example, the company said, the new EU law requires specific legal terminology about the legal basis for processing data which does not exist in U.S. law.
If the company succeeds in dodging the GDPR outside the EU, users will be subject to lax US privacy standards, which would allow the company to continue collecting data like web histories it collects via the “Like” and “Share” buttons embedded on innumerable websites. (Given that Congress is currently controlled by Republicans allergic to regulation, it seems unlikely anything about that is going to change on a legislative level following Zuckerberg’s testimony before them earlier this month.)
According to Reuters, the change would ultimately exclude 1.52 billion users, or over 70 percent of people with accounts, based on December 2017 user statistics. [Reuters]