Facebook to exclude 1.5bn users from GDPR protections

19 Apr 2018

Facebook mobile app. Image: sitthiphong/Shutterstock

Facebook’s latest change will reduce its exposure to GDPR sanctions.

The GDPR deadline of 25 May is fast approaching and online privacy is on the minds of many, particularly following the story of Cambridge Analytica’s deployment of ill-gotten Facebook user data to potentially alter political outcomes.

GDPR presents issues for big tech

GDPR requires companies to seek informed consent from users before collecting, using and sharing their information with partners and advertisers, among other new rules. The heavy fines (up to €20m or 4pc of global turnover, whichever is higher) could see major tech firms pay out if they are found to be non-compliant.

Today (19 April), Facebook confirmed to Reuters that only EU users will be governed by the terms of service agreed with the company’s international headquarters in Ireland – where the full weight of EU GDPR sanctions will apply.

Currently, Facebook users outside of the US and Canada are governed by the terms of service agreed with the company’s EMEA HQ in Dublin, but this is due to change in May. Users residing in Asia, Africa, Australia and Latin America will now be governed outside of the legal remit of GDPR, by Facebook US.

Implementing GDPR globally?

In a statement, the company said: “We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland.”

CEO Mark Zuckerberg had previously said that the company would apply the rules and protections of GDPR globally “in spirit” but did not commit to implementing it on a global scale officially.

The 1.5bn users that will be affected by the change will not be able to file complaints with the Office of the Data Protection Commissioner in Ireland or in Irish courts of law; instead, more lenient US privacy laws will apply.

This creates more freedom for Facebook to use certain data such as browsing history, which is considered personal data under EU law but not as stringently monitored in the US. The company said it made the decision due to the EU’s mandated privacy notices, and the specific language required by EU law.

It seems until US lawmakers put pen to paper to create concrete sanctions and legislation for data misuse such as those seen in GDPR, global implementation of GDPR by the company will not be happening.

A revised terms of service was released by Facebook in draft form two weeks ago, and these new terms will take effect in May.

Facebook mobile app. Image: sitthiphong/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects