Facebook urged to make GDPR its “baseline standard” globally

Facebook urged to make GDPR its “baseline standard” globally
From TechCrunch - April 9, 2018

Facebookis facing calls from consumer groups to make the European Unions incoming GDPR data protection framework the baseline standard for all Facebook services.

The update to the blocs data protectionframework is intended to strengthen consumers control over how their personal data is used by bolstering transparency and consent requirements, and beefing up penalties for data breaches and privacy violations.

In an open letter addressed to founder Mark Zuckerberg, a coalition of US and EU consumer and privacy rights groups urges the company to confirm your companys commitment to global compliance with the GDPR and provide specific details on how the company plans to implement these changes in your testimony before the US Congress this week.

The letter is written by the Trans Atlantic Consumer Dialogue, and co-signed byJeffrey Chester, the executive director of the Center for Digital Democracy in the US andFinn Ltzow-Holm Myrstad, the head of the digital services section at the Norwegian Consumer Council.

The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process, they write. The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located.

We favor the continued growth of the digital economy and we strongly support innovation. The unregulated collection and use of personal data threatens this future. Data breaches, identity theft, cyber-attack, and financial fraud are all on the rise. The vast collection of personal data has also diminished competition. And the targeting of internet users, based on detailed and secret profiling with opaque algorithms, threatens not only consumer privacybut also democratic institutions.

Zuckerberg caused confusion about Facebooks intentions towards GDPR last week when he refused to confirm whether the company would apply the same compliance measures for users in North Americasuggesting domestic and Canadian Facebookers, whose data is processed in the US, rather than Ireland (where its international HQ is based), would be subject to lower privacy standards than all other users (whose data is processed within the EU) after May 25 when GDPR comes into force.

In a subsequent conference call with reporters, Zuckerberg further fogged the issue by saying Facebook intends to make all the same controls available everywhere, not just in Europeyet he went on to caveat that by adding: Is it going to be exactly the same format? Probably not. Well need to figure out what makes sense in different markets with different laws in different places.

Privacy experts were quick to point out that controls and settings are just one component of the data protection regulation. If Facebook is truly going to apply GDPR universally it will need to give every Facebook user the same high privacy and data protection standards that GDPR mandates for EU citizenssuch as by providing users with the right to view, amend and delete personal data it holds on them; and the right to obtain a copy of this personal data in a portable format.

Facebook does currently provide some user data on requestbut this is by no means comprehensive. For example it only provides an eight-week snapshot of information to users about which advertisers have told it they have a users consent to process their information.

In denying a more fulsome fulfillment of whats known in Europe as a subject access request, the company told one requester, Paul-Olivier Dehaye, the co-founder of PersonalData.IO, that it would involve disproportionate effort to fulfill his requestinvoking an exception in Irish law in order to circumvent current EU privacy laws.

[Facebook] are really arguing we are too big to comply with data protection law,Dehaye told a UK parliamentary committee last month, discussing how difficult it has been to get the company to divulge information it holds about him. The costs would be too high for us. Which is mindboggling that they wouldnt see the direction theyre going there. Do they really want to make that argument?

Whether that situation changes once GDPR is in force remains to be seen.

The new framework at least introduces a regime of much larger penalties for privacy violationsbeefing up enforcement with maximum fines of up to 4% of a companys global annual turnover. So the legal risks of trying to circumvent EU data protection law will inflate substantially in just over a month.


Continue reading at TechCrunch »