GDPR could be Facebook's toughest data management test yet
Unless individuals and organizations have been completely off the grid, it is probably safe to assume that everyone has heard about Facebook’s data privacy woes.
The company that operates the massive social media site has been embroiled in a data scandal after it was revealed that political consulting firm Cambridge Analytica collected personally identifiable information about millions of Facebook users.
Facebook chairman and CEO Mark Zuckerberg in April 2018 testified before the U.S. Senate Committee on Commerce, Science, and Transportation regarding the use of personal data by Facebook in relation to the Cambridge Analytica scandal. Cambridge Analytica announced this week that it is closing its doors, as customers fled the embattled company.
Some of the company’s biggest challenges related to data privacy might lay ahead, in Europe, where one of the most daunting data privacy regulations ever is looming.
The General Data Protection Regulation (GDPR), a set of rules created by the European Parliament, European Council, and European Commission to provide data protection for citizens of the European Union (EU), officially goes into effect on May 25, 2018. Any organization that handles data on individuals within the coverage area is affected by the rules, and the penalties for non-compliance can be as much as 4 percent of the violating company's global annual revenue.
Europe is more attuned to data privacy and security issues than other areas, and takes a much more no-nonsense approach to technology companies and how they handle customer data. And indeed, Facebook is taking heat from government leaders there.
As reported by Bloomberg on April 26, “tension and voices were high” as Facebook CTO Mike Schroepfer was questioned by a U.K. parliamentary committee investigating the impact of social media on recent elections.
One of the most heated exchanges came between conservative minister Julian Knight and Schroepfer, the article said, with Knight saying Facebook was a "morality-free zone," destructive to privacy, and not an innocent party that was wronged by Cambridge Analytica. "Your company is the problem," he said.
Facebook’s vice president and chief privacy officer Erin Egan and vice president and deputy general counsel Ashlie Beringer recently posted an update about its GDPR compliance plans and new privacy protections. They introduced new “privacy experiences for everyone on Facebook” as part of GDPR compliance, including updates to its terms and data policy.
All users will be asked to review information about how Facebook uses data and make choices about their privacy on the social network. The company said it would begin by rolling these choices out in Europe.
"As soon as GDPR was finalized, we realized it was an opportunity to invest even more heavily in privacy,” the posting said. “We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook.”
Facebook has brought together hundreds of employees across product, engineering, legal, policy, design, and research teams to work on privacy initiatives, the posting said. It has also sought input from people outside Facebook with different perspectives on privacy, including those who use its services, regulators, government officials, privacy experts, and designers.
As part of the privacy effort, the company will ask everyone on its network to make choices about allowing face recognition technology to help protect privacy; and to agree to Facebook’s updated terms of service and data policy, which include more detail in response to questions about how its services work.
While the substance of the data policy is the same globally, people in the EU will see specific details relevant only to people who live there, Facebook said, such as how to contact its data protection officer under GDPR.
The post said the new Settings and Privacy Shortcuts features the company announced recently were built with GDPR in mind. “Our recently-expanded tools for accessing your information will allow people to see their data, delete it, and easily download and export it,” the posting said. “These tools are available globally, although we designed them to comply with GDPR too. We’ve also updated our Activity Log on mobile to make it easier for people to see the information they’ve shared with Facebook from their mobile device.”
Data privacy experts say Facebook has a lot of work to do when it comes to bolstering the protection of data in Europe.
“As a non-European company that collected approximately 24 percent of its revenue from Europe in 2017, Facebook faces significant challenges with regard to EU data protection regulations and the GDPR,” says John Eustice, data privacy and data security expert at law firm Miller & Chevalier.
Facebook’s data protection and privacy issues are more complex than those of other multi-national companies for three reasons, Eustice says. First, the quantity of personal data Facebook collects and processes dwarfs that of other companies, even other social media giants. “More users and more data mean more potential vulnerabilities and potential openings for cyber attacks,” Eustice says.
Second, Facebook’s reputation and global reach puts a target on its back, particularly after its admissions of mishandling data in the aftermath of the Cambridge Analytica scandal. Even a minor misstep in terms of data security or data privacy compliance will be news.
Third, the GDPR’s principles of “Privacy by Design” and increased data security will be difficult for Facebook to implement, due to the first two issues—quantity and reputation. GDPR states that data controllers should design and implement processes to protect personal data, retain it only for specific, disclosed purposes, keep it only as long as necessary, and restrict access to it.
“Facebook faces the challenge of obtaining valid consent from EU citizens to process their personal data,” Eustice said. GDPR makes it more difficult for companies to obtain consent from data subjects, he said, because consent must be freely given, specific, informed and unambiguous, either by a statement or by a clear affirmative action.
Given the Cambridge Analytica scandal, Facebook might face even greater difficulty in obtaining EU citizens’ consent in the near term, Eustice said.
“More vital to Facebook’s bottom line, the GDPR requires data subjects to be given the option of opting out of direct marketing, and it further requires that this opt-out be clearly distinguishable from other information,” he said. “To comply, Facebook would have to offer EU citizens a clear opportunity to opt out of what is Facebook’s primary revenue stream—highly targeted online advertisements.”
GDPR also gives EU citizens the right to access their personal data, delete it, or transfer it to competitors as desired.
"Deleting a Facebook profile is a difficult task to accomplish, which resulted in Facebook releasing a video in February 2018 teaching people how to do so,” Eustice said. “In order to comply with the GDPR, Facebook would have to make it easier for EU citizens to understand how their data is being processed, how it can be deleted, and how it can be transferred.”
This would likely result in a sharp increase in “permission screens” that could depress Facebook use by EU citizens, Eustice said.
Facebook operates under a business plan where more data gathered means more insight into customer behavior, noted Heidi Maher, program director for analytics hybrid cloud thought leadership and data privacy officer at IBM, and executive director of the Compliance, Governance and Oversight Council think tank.
“Since its profits are primarily made from advertising revenue, its ability to precisely target the right demographic makes it uniquely positioned to appeal to advertisers who are unsatisfied with other mediums or are looking for a bigger impact with a smaller budget,” Maher said. “The current EU Data Protection Directive currently requires organizations to minimize the retention of personal data for a period no longer than necessary for the purposes for which the data was collected.”
For example, Maher said, “if I answer a ‘find your personality type’ quiz, once I receive the answer to my personality type, the data should be deleted and not used for determining how I will vote or what car I will buy. The use was solely for determining my personality type, not for any other purpose.”
GDPR, which will replace the directive, expands on this principle by providing that in order to comply with the “storage limitation” or “data minimization” principle, data controllers must make certain that the time period for which personal data is stored is kept to a strict minimum.
“This means data hoarding companies such as Facebook must affirmatively delete or return personal data when this data is no longer needed for the original purpose for which it was collected, Maher said.
Based on details that have emerged from its dealings with Cambridge Analytica, “Facebook did not have the necessary controls in place to ensure the shared data was returned or deleted once it was no longer needed for the purpose for which it was shared,” Maher said. “This is a key compliance issue that Facebook must address, or it will face massive fines.”
Maher agreed that Facebook faces a much bigger data privacy challenge in Europe than other large companies.
“A typical global company may have access to customer personal data such as name, address, email, even credit card numbers,” she said. “But in addition, Facebook frequently collects sensitive personal information, such as racial or ethnic origin, political and religious beliefs, sexual orientation, etc. By processing and running analytics on sensitive information, Facebook puts itself in a higher-risk category than a typical global retailer or bank.”
That’s not to say others won’t have difficulties in connection with GDPR compliance. “It will be a challenge for many companies to identify which individuals’ information an organization has,” says Mark McCreary, chief privacy officer at law firm Fox Rothschild LLP.
“Think about a marketing database that contains only and name and email address,” McCreary said. “There may not be any clue that an individual is based in the EU. Similarly, for consumer-facing companies, they may not collect enough information to identify the residence of the individual.”
In addition, companies that receive information from their customers will be required to comply with GDPR if that customer is required to comply with GDPR. “Many businesses do not appreciate that,” McCreary said. And most companies do not have a good handle on where data is located. “It is a fool’s errand to comply with GDPR—or any data protection law—if the company is not fully aware of all of the locations where data is stored,” he says.
For Facebook, the coming months will be fraught with uncertainty related to data privacy and its business in Europe.
“Facebook might temper its presence in the EU and avoid offering certain services that are likely to implicate some of the more onerous provisions of the GDPR or incur the ire of EU watchdog groups,” Eustice said. “While no company likes to limit its growth, the risk of Facebook operating in the EU as it does in the United States may be too great, given that it is the white whale of the industry.”