Facebook has yet to fully enact the stringent data protection regulations for its EU users. The EU Commission has threatened them with sanctions if they do not comply by the end of the year.
Users of Facebook used to share their data with the company as well as any third-party developers of apps, games or quizzes with which users might engage. This also enabled third party developers to access the data of the users friends, making it a significant intrusion into user privacy.
The EU has been vocal about its push towards better protection of its 380 million EU consumers among tech companies. The issue became especially important in light of the Cambridge Analytica data privacy scandal, in which allegations arose about the improper use of millions of users’ Facebook data.
The EU has some of the strongest data privacy policies in the world, resulting in escalating tensions with Facebook. The EU Parliament approved the General Data Protection Regulation (GDPR) in 2016, with enforcement beginning in 2018. The GDPR applies to companies within the EU but also international companies that provide services to the EU region. In May, Facebook updated its terms of service to include recommendations from the EU. However, it has until the end of the year to fully enact the consumer protections required by the EU. The EU has been clear that failure to comply will result in sanctions against Facebook.
Facebook has defended its user data practices by showing the need for access to user data. User data enables the company to personalize sponsored content by user preferences. However, the Cambridge Analytica scandal has prompted greater consumer awareness of data privacy intrusion and lead to increased calls for strong action to be taken.
Facebook is expected to update its terms of service by mid-October with changes to be implemented by December. This will allow users to have greater information about the use of their data, enabling them to determine the extent to which they want to engage with third party developers.
While the European Commission is technically unable to sanction Facebook itself, it can influence individual countries to toughen national consumer protection regulations. This would also make it more complicated for Facebook, as staying compliant with varying policies will require greater cooperation and more changes to the terms of services.
Global scrutiny of Facebook has also increased as lawmakers around the world question Facebook’s ability to protect user data. Due to the differing standards between the United States and the EU, Facebook has made efforts to limit its exposure to GDPR by ensuring that the Africa, Asia and Latin American regions are governed by the more lax U.S. rules, rather than the stricter EU ones. In addition to making fewer changes, this allows Facebook to avoid the risk of higher sanctions. The EU law can fine companies up to 4 percent for non-compliance. Reducing the number of users (and reported revenue) under the EU umbrella results in lowered potential liability for Facebook.
As users are transferred to be under the U.S. umbrella of data protection, not all will benefit. Those who are being shifted out of the EU’s jurisdiction now face a reduction of privacy protection. Countries in this situation could be prompted into reevaluating their own data protection regulations, which might result in stricter regulations in other regions as well. Privacy jurisdictions are now mirroring the tax jurisdiction system of allowing companies to choose. Like revenue is routed through low tax regions, this means that companies can cherry-pick the country whose regulations are most advantageous. And similar to the tax implications, countries are not in favor of cherry picking, which could result in a more uniform global policy.
Additionally, the Cambridge Analytica scandal raised awareness among users about privacy intrusions. This pubic perception could result in further changes to Facebook’s terms of service if consumers start to take a more active role in controlling their data, especially as retaining users is a primary concern for the company.
Our assessment is that Facebook’s efforts to resist stringent data protection laws will not ultimately be successful. We feel that the EU is determined to ensure its citizens receive strong protection and is likely to pressure Facebook, with sanctions and policies, to ensure compliance. We also feel that Facebook’s strategy of limiting exposure will not be sustainable as other countries see this as an incentive to toughen up their own data protection regulations. As technology continues to transcend geographic borders, consumer laws could follow.