There’s no way to sugarcoat this message: Facebook’s founder Mark Zuckerberg believes North America users of his platform deserve a lower data protection standard than people everywhere else in the world.
In a phone interview with Reuters yesterday Mark Zuckerberg declined to commit to universally implementing changes to the platform that are necessary to comply with the European Union’s incoming General Data Protection Regulation (GDPR).
Rather, he said the company was working on a version of the law that would bring some European privacy guarantees worldwide — declining to specify to the reporter which parts of the law would not extend worldwide.
“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” Reuters quotes Zuckerberg on the GDPR question.
This is a subtle shift of line. Facebook’s leadership has previously implied the product changes it’s making to comply with GDPR’s incoming data protection standard would be extended globally.
Back in January, COO Sheryl Sandberg said the company would be rolling out “a new privacy center globally” — putting “the core privacy settings for Facebook in one place and make it much easier for people to manage their data”.
A spokeswoman for Facebook confirmed to TechCrunch today that the changes it revealed late last month — including finally reducing its historical settings sprawl from 20 screens to just one — were what Sandberg was talking about in those earlier comments. Ergo, even those basic tweaks are a direct result of the EU regulation.
However that universal privacy center looks to be just one portion of the changes Facebook needs to make to comply with the new EU standard. And not all these changes are going to be made available to US and Canadian Facebook users — per Zuckerberg’s remarks.
In a blog about the new privacy center late last month, Facebook flagged additional incoming changes to its terms of service — including “commitments” to users, and the language it uses to explain how it’s processing people’s data.
It said these incoming changes would be “about transparency”.
And indeed transparency is a key underlying principle of GDPR, which places requirements on data controllers to clearly explain to people what personal data they intend to collect and for what exact purpose — in order to gain informed consent for processing the data (or, if not consent, another valid basis is required for the data processing to be legal).
What’s less clear is exactly which portions of GDPR Facebook believes it can safely separate out for users on its platform and not risk accidentally mishandling the personal data of an international user — say who might be visiting or living in the US — thereby running the risk of privacy complaints and, ultimately, financial sanctions (penalties for violations can be very large under GDPR).