Facebook is moving the profile data of more than 1.5 billion users out of Ireland and shifting them to Silicon Valley in a bid to avoid strict European privacy rules that go into effect in May.
Facebook’s move comes on the heels of scathing criticism of its data policies in the U.S. and the U.K. for failing to protect user data from being sold to political targeting firm Cambridge Analytica.
In the aftermath, Facebook CEO Mark Zuckerberg said the company would offer the E.U.’s stricter privacy rules to all users. But according to a report by Reuters, Facebook is moving data on all its users in Africa, Asia, Australia, and Latin America out of Ireland in order to avoid any legal penalty for violating Europe’s new privacy law called the General Data Protection Regulation, or GDPR.
Because Facebook hosts international data at its headquarters in Ireland, much of the world benefits from Europe’s stricter privacy laws. But shifting the data to U.S. facilities means Europe's new privacy law will not apply.
The move comes after a tumultuous month for Facebook where Zuckerberg has faced questioning in Congress. The company promised to give all of its users the same protections enshrined in GDPR “in spirit,” but the company could not be liable for any punishment or fines should it breach those rules under U.S. law.
European privacy experts expressed shock at the move. “The way they have done it is astounding,” Michael Veale, a technology policy researcher at University College London, told VICE News, adding that the company’s decision was likely taken because it may be worried that GDPR privacy laws will be greatly extended in the future.
So what has Facebook just done?
Until now, all Facebook users outside of the U.S. and Canada, when they signed up for a new account they did so using terms of service that said all their data would be processed through Facebook Ireland.
This meant that whatever laws Ireland or the EU mandated applied to all international users.
Now, while Facebook’s 370 million European users will remain under the auspices of Facebook Ireland, everyone else gets moved to Facebook Inc, based in Menlo Park, which has to comply with the much-less-strict U.S. data protection laws.
What is GDPR?
On May 25, GDPR will become law in the European Union.
For consumers the biggest change is that they now need to give informed consent to how their data is being collected and used.
Consumers can also ask any company for all the information it holds on them, free-of-charge and companies will have to make it easier for consumers to take their data with them to an alternative service if they so wish.
For companies, there are stricter rules around collecting, processing, and storing data, as well as ensuring there are adequate data protection policies in place. Companies will have to disclose data breaches within 72 hours.
However for big companies like Facebook, the biggest implication could be new fines the EU can levy on companies, which can be up to 4 percent of global annual revenue. In Facebook’s case, that would amount to almost $2 billion, based on 2017 revenues.
Is Facebook complying with GDPR?
Yes. Facebook announced this week that it was rolling out a range of new privacy policies to comply with GDPR in Europe. Customers are already new options which the company claims will make it easier for consumers to tweak their privacy settings however they want.
However, as a number of people have already pointed out, the way Facebook has designed the steps users have to go through to give their consent means most users will end up sharing more and not less information with the company.
But isn’t Facebook’s bringing GDPR protections to all users?
It’s really unclear.
Initially Zuckerberg said earlier this month: “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing.”
Then, in front of Congress a week later, Zuckerberg promised that GDPR’s protections would apply to all Facebook users, but he referred to GDPR “controls” rather than “protections.”
In a statement to Reuters about the changing terms of service, Facebook said: “We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland.”
However those Facebook users outside Europe will no longer be able to file complaints to the Irish data protection commissioner, and Facebook won’t be liable to pay the swingeing fines they may have faced for breaching EU law.
What’s the reaction going to be?
Regulators in Africa, Asia, Australia and Latin America will now have to assess what to do when their citizen’s data has been compromised or misused.
Until now all have relied on Europe’s — and in particular Ireland’s — strict data privacy protections but with Facebook changing the terms of service, it could bring about major changes.
“I think there will be a backlash and it will be from countries that have privacy laws, that previously would not litigate Facebook because Ireland had a higher privacy law,” Veale said.
Such countries include Australia and New Zealand, both of which have privacy acts that are much more like data protection than they are U.S. law.
“It will encourage these countries to bring cases against Facebook in their own courts, which are very likely to conclude that Facebook has to obey local law in processing that data," Veale said. “We could be seeing a real change in the way the internet is governed.”
Cover image: Facebook co-founder, Chairman and CEO Mark Zuckerberg testifies before the House Energy and Commerce Committee in the Rayburn House Office Building on Capitol Hill April 11, 2018 in Washington, DC. (Photo by Chip Somodevilla/Getty Images)