In the weeks since the revelations about Facebook’s irresponsible handling of data, the US tech community has made two startling discoveries. First, that they are in favour of data protection regulation. Second, that, in Europe, such regulation already exists.
The regulation in question is, of course, the General Data Protection Regulation – better known as GDPR – which comes into force on May 25, 2018. (In the UK, it is echoed by an almost identical Data Protection Bill.) And, for a longtime observer, it is bizarre to see it attracting such favourable attention. When GDPR was first passed, US commentators dismissed it as a piece of jealous protectionism. Now The New York Times is calling for similar rules in its editorial pages.
To observe the change in tone, witness the statements of Mark Zuckerberg. Under pressure to be seen taking action on data protection, Zuckerberg – who, in 2010, remember, argued that privacy was no longer a “social norm” – announced on April 2 that he would like to extend the GDPR’s protections to all Facebook’s users “in spirit”. No-one knew exactly what this meant – “We’re still nailing down details on this,” Zuckerberg told Reuters – and the backlash was swift. Op-eds were penned; tweets were fired out; US and European consumer groups made demands in open letters. A few days later, Zuckerberg issued an apologetic (if still extremely unclear) climbdown.
Somehow, GDPR, bane of IT departments and sales tool of dubious “security consultants”, has turned into a political rallying point. It’s a bit like finding that your office HR policy has become the key text for a revolutionary movement.
Zuckerberg is scheduled to appear before Congressional and Senate today and tomorrow to answer questions on Facebook’s ongoing problems – where, no doubt, the data protection chastisement will continue. For those unfamiliar with these sessions, imagine a pantomime, only with shoutier dames. Every Senator takes four and half minutes to try and ask a question that’ll get them a spot on the news. The CEO takes a beating, but unless he says something truly disastrous, little of substance comes out of it.
Yet GDPR is more than a stick to beat Zuckerberg. It is also a piece of legislation, backed in Europe by impressive powers. And, as a consequence, it could be far more troubling for Facebook than the Senate’s show trial.
To see what how significant GDPR is for Facebook, you only have to scroll down to the very bottom of the firm’s privacy documents, where it suggests postal addresses for “questions about this policy.” American and Canadian users are directed to the firm’s Menlo Park campus. Everyone else is pointed to Facebook’s Irish headquarters, on Grand Canal Square in Dublin's Docklands.
GDPR covers not only individuals based in the European Union, but also data that is processed there. Since Facebook’s global data processing unit is in Ireland, that means any of its users outside the US and Canada are subject to its terms. On May 25, everyone from Australia to Zimbabwe gets new rights.
Unlike many companies, Facebook has no shortage of legal and technical expertise. Nevertheless, the looming oversight of GDPR could be a real problem for the social network, says technology policy researcher Michael Veale. “Facebook will find it very easy to comply at a basic level. The question is that the law goes pretty deep, and it goes pretty deep into their business model.”
Take, for instance, the “data download” tool Facebook offers users who want to see what the company knows about them. “This gives you quite a lot of information about yourself,” says Veale. “It does not give you all the information, quite clearly.”
Facebook has a record of every like, every click, every interaction on its site, as well as the inferences drawn from this data, to categorise people by class, political allegiance or spending power. But only the very tip of this vast iceberg appears in the download, Veale says. “It’s a partial response to the right of access, not a full response.”
It would be ironic if Facebook’s residency in Ireland did lead it into trouble, because when the company moved there in 2008, it was partly to take advantage of weak data protection enforcement. “Until recently the regulator was based above a supermarket in a dilapidated town called Portarlington,” Veale recalls. “It had about ten interns and four fully-trained people and Facebook would waltz in and write the rules. It was insane."
Things have professionalised since then, but Ireland still has a reputation for business-friendly regulation, and it remains unclear whether questions over the exact content of Facebook’s data download will be enough to prompt regulatory action.
“My general understanding is that data protection agencies don’t want to be a police force,” says Sandra Wachter, research fellow at the Oxford Internet Institute. “The law wants to strike a balance between business interests and consumers. Fines are a last resort.”
Getting data out of Facebook has not been easy. At last month’s parliamentary committee hearing into the Cambridge Analytica-Facebook scandal, Paul-Olivier Dehaye, co-founder of PersonalData.IO, described his “years” of struggle to retrieve his personal information from the company. Eventually Facebook did give him the first ever “data download” of advertisers with his contact information – but only for an eight weeks snapshot.
“Facebook is invoking an exception in Irish law in the data protection law – involving, ‘disproportionate effort’,” Dehaye explained. “So they’re saying it’s too much of an effort to give me access to this data.”
GDPR allows companies to claim a “legitimate interest” – usually commercial – not to disclose data. Will this defence be enough? Wachter isn’t sure. “It will be up to the data protection agency to decide that, and to find a balance between business and consumer. There is no preference in the law. It will depend on the individual case.”
Many observers believe that rather than undermining Facebook, Google and the like, GDPR will reinforce their position. As analyst Ben Thompson puts it: “GDPR will be a pain for Google and Facebook, but it will be lethal for many of their competitors, which means digital ad revenue post-GDPR... will go to Facebook and Google.”
Proof of that thesis appeared came when Facebook recently locked out data brokers such as Axciom and Experian, causing their share prices to drop precipitously. One Axciom board member accused Facebook of using the scandal “to consolidate power over the open web”.
Yet Veale argues this consolidation could be Facebook’s greatest weakness. The decision to remove data brokers, for instance, means that the social network will have to do advertising targeting itself. “Then you have a single bottleneck point where you can intervene as a regulator and say, you can target on these grounds but not on those grounds, and please show statistically how you're managing that process,” he says. “From a transparency centralisation point of view, it's quite interesting.”
Dehaye made a similar point to the Commons Select Committee, as he explained the reasoning behind Facebook’s “disproportionate effort” claim. He argued that the company could be opening itself up to another set of laws once decried by American observers: competition regulation.
“What they’re saying is they’re so big that there’s no way they could provide me with this information. The cost would be too large.
“It’s not just about their user base being so large – if you parse their argument, it’s about the number of communications that are exchanged. And usually that’s taken of a measure of dominance of a communication medium... If you think about how antitrust laws work, that’s the starting point for those laws. So it’s kind of mindboggling that they don’t see their argumentation, how it’s going to hurt them at some point.”
This article was originally published by WIRED UK
