Best endorsement of GDPR they could possibly make. Everyone knows Facebook collects more data than most people probably want so it follows that a privacy law they don't want to roll out everywhere must help curtail that to some degree.
Yeah, and to a degree that theyre willing to eat the cost of maintaining a much more complicated privacy structure (and, inherently, code base) to not roll it out everywhere.
I don't think that maintaining different strategies in different areas is the more costly procedure.
The assumption you're making here is that GDPR is one and done. In all likelihood, most major jurisdictions are going to introduce privacy laws at some point. If you don't build your international service to allow for different rules in different jurisdictions you're going to have to follow the strictest of those laws. Heck, I'd put money on some countries forcing some web services to record some data for law enforcement purposes and other countries barring facebook from recording the same data for privacy reasons.
So really, you have to build this system in a way that can be tailored to each market you operate in.
Playing devil's advocate: it could also be that their implementation of the GDPR necessarily restricts functionality from the user's point of view. And they simply want their users to have the best (in their view) possible experience.
It's quite telling in such a situation when a company like Facebook hypothetically won't deliver a certain feature if they have to make their intentions clear. The immediate assumption is that they don't believe their justifications for it are sound and nobody would opt in, so they depend on keeping those motives private. Quite ironic, expecting your users to trust you but not trusting them at all, but I suppose that's business more than anything (sadly).
In the same sense as medical trial guidelines diminish scientist freedom and safety regulations regulate the freedom of engineers. Sorry, but just as I demand that if I walk into a hospital I'm being treated safely, consumers can demand the same thing from me as a developer.
Compared to the freedoms of millions and billions of uses my 'developer freedom' is pretty far down the list of things that matter. As developers we are servicing people, they are not our lab rats.
Social networking software is not in any way equivalent to medicine so thank you for making this false equivalence because it proves the point that these regulations are ridiculous.
If you don't want facebook to track you don't make an account on their website and don't click any of the stupid buttons on their website.
Having seen the influence social media can have on our discourse and even our political systems, including manipulation of democratic elections I think that comparison is absolutely warranted. It is the infrastructure of our modern communication, not just a 'website with stupid buttons'.
Without regulation like GDPR, Facebook aren't obliged to state what those stupid buttons actually do with regards to the information they store about you.
Being open and honest with people really doesn't slow down development all that much.
This is like saying that prescription-drug regulations are limiting speed/freedom. When those things are dangerous to the user, they should be limited!
And I still don't agree that it slows anyone down. Want to launch a new feature quickly? No problem, go ahead and launch it. All you have to do is add an opt-in dialog at the beginning.
As far as freedom goes, we've seen the abuses of that freedom and it's time to limit it.
There is an approach to use a disclaimer to state a controversial view. There are many forms to this: "I am not a racist, but...", "No offense, but..." , "Let me play a devil's advocate, ..." , Etc.
The form usually proceeds by stating a view. You think attribution is more important than the propagation (or content) of the view, and that is fine. For me, the content and propagation usually rank higher.
In the case of FB, I think we all had enough proof that the quest for money is above everything. According to the latest leaks about their execs, even above human lives.
So, at this point, I find any attempt to defend them, even hypothetical, sad.
I know of at least two of the large (multiple tens and hundreds of billions in market cap) tech companies (other than Apple, already mentioned in this thread) who are making a lot of global changes for GDPR.
> obviously
Isn't it a significant expense to comply with the GDPR, especially in Facebook's business? I'm guessing the only companies doing this don't have much to lose by complying globally.
1. The administrative/maintenance cost of complying: this is sunk if you have European users at all.
2. The cost of the measures to your business model, if personal user data is a central part of your business model.
3. The adminstrative cost of maintaining radically different user data management systems for EU -vs- non-EU users.
Doing number 3 is only worthwhile if it's a lower cost than number 2. I would guess 3 would be higher than 2 for most companies. Clearly, 2 is extremely high for Facebook.
I can imagine that there is a local minimum of costs 2 & 3 where the infrastructure is modelled so that privacy legislation is supported, but the company makes no commitment to enforcement/compliance anywhere but the relevant jurisdiction. That way you've take the sunk costs of development (technical and compliance), but drained the project of any administrative costs for the rest of the world...
If you do business in the EU, you'll incur most of those expenses anyways. It makes sense that companies would offer privacy protection to all their paying customers.
In the case of Facebook, it makes sense that they wouldn't want to offer privacy protection to their livestock.
I mean cloud providers are different. First, there's that level of indirection. You're a customer, not necessarily falling under the GDPR, but your customers might. So the mechanisms are in place to handle that worldwide, which you could choose to extend to everybody. Then there's the data from you being a customer directly, which is largely exempt from many GDPR things like opt-in anyway, since they actually need it to e.g. bill you, provide customer support, etc.
So far, I don't think any cloud providers show you ads based on your usage, but it's only a matter of time :) / :(
At some stage Americans need to expand their definition of what "freedom" is. Right now maintaining freedom from government is almost a national passtime (and arguably quite effect), but in the meantime infringement from private organizations has expanded and I'd argue is now the predominant issue facing your average citizen.
You have HOAs acting as government, tech companies acting as intelligence organizations, private security acting as police, and heck even private companies buying up roads/bridges maintaining them and charging a fee.
The whole "make a different choice" retort whenever private organizations do something evil is getting less and less believable with every passing day. For example, in a lot of cities almost every neighborhood has a HOA.
While there certainly is room to improve privacy legislation, it must be done carefully. More legislation is not always better. For example, I'm strongly against forcing search engines to remove entries based on a single person's 'right to forget.'
Then let's talk about how careful. "Right to forget" premises data ownership by the person, with which you apparently disagree.
So, if people should not have complete control over data about themselves, where should the line be drawn on the usage of that data when people can't tell companies what to do with it? Who should draw that line?
You seem incredulous that anyone can have a good faith argument against the "right to be forgotten."
One person's right to be forgotten conflicts with the public's interest in knowing things. For example, if a given doctor has botched several surgeries, and I am considering to become his patient, the doctor's right to have those incidents forgotten conflicts with my interest in knowing his track record. This is one example, but such cases are myriad.
Of course the laws surrounding the right to be forgotten in Europe are not boundless (though they are, to my mind, quite vague) and I'm sure supporters will be quick to point out the the case of the doctor above may not be covered by the right to be forgotten. And that is a nice point in theory, but in practice is moot. Europe has put the burden of correctly determining what is in the public interest squarely on the shoulders of online aggregators. If an aggregator's interpretation of a broad set of laws is later found to not be in keeping with the opinion of European courts, the aggregators are the ones that will be footing the fines.
Forcing search engines to all become court systems which adjudicate millions of cases is extremely onerous. Companies are not going to spend billions doing that. They are just going to remove whatever requests they get, DMCA style. The end result is that Europe has given everyone a more or less unrestricted delete button. Google has already delisted more than a million URLs (including for a doctor that botched several surgeries).
Further, until the the whole world gets on board, I imagine there will always be access to search engines that do not delist results. So not only are companies forced to rubber stamp millions of delist requests, it's also completely pointless!
Personally, if society believes the right to be forgotten is worth enshrining, instead of shirking responsibility of actually enforcing it onto tech giants, we should have the courts adjudicate the requests so that the public interest will be appropriately weighed. Of course this will be much more expensive, but like health, education, and so on, doing the right thing is often expensive.
Except even in Europe, there isn't really a "right to be forgotten". Your "right to be forgotten" doesn't mean you can make a newspaper to take down a factually accurate article about you, just to force a search engine to stop linking to that factually accurate article. They didn't give anyone control of the data about themselves, just the right to make it harder to find.
I had posted it on the other link as well where Panera Bread's leaks were discussed (1 and 2), but since it is relevant to this discussion, reposting it here. I have edited my conclusion a bit from the original two postings:
Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (3) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (4).
I believe UnderArmor's case is the norm we can expect going forward. As most companies are not "tech" in nature, unlike FB which happens to be one, it will make sense for them to keep just one security policy and the legally mandated strictest one may be the dominant policy across the enterprise.
It's worth noting that Article 33(1)[1] states that a breach must be reported to the local supervisory authority unless said breach is 'unlikely to result in a risk to the rights and freedoms of natural persons'. This call is made by the organisation which suffered from the breach, by the way (certainly in the absence of any case law).
It will be interesting to see the interpretation of that clause in action, specifically when looking at information such as IP address which is still considered a grey area.
While the decision to do/not-do is up to the company; They still have to document it (in any case, even non-personal), mention the reason for not reporting (e.g. "it's only an IP address") and make that document available upon request.
So if the breach turns out to be a bit more major than then want every one to think it is and it turns out that it was major in the end, there either is a paper trail or worst case for them no paper trail and probably a worse fine.
Definitely, as do most of us. But that IMO is mostly attributable to the network effect and not to anything particularly special about Facebook as an application. An incumbent social network with mostly identical software, minus the spying plus an ethical monetization strategy, would be out-competed financially by Facebook unless user tracking is regulated more closely.
I now live in a country where Facebook is a major part of how people function online. I deleted my profile and stayed off for 2 years when I still lived in the US, but here it's more vital to have one unfortunately.
Not because it's a particularly good service. Mainly because everyone is on there. It would also be fine if everyone was on Google plus or anything else but it's the only place where I know I can reach most people I know.
I stopped using facebook in 2008, and I wonder if my social life degraded because of not using it.
Since everyone is on it, it would make sense that not using it would "exclude" you or a social standard or norm.
There are two sides to this.
First, I don't since exchanging on facebook is relevant or meaningful social exchange. Teamspeak or skype are more meaningful, but facebook only brings delayed text, photo and video, while real time matters more.
The second side is that as I've discussed already, there are no discovery feature on facebook. You don't make new friends thanks to facebook, you only do with Tinder, meetup, Uber, etc. The friendship relation in facebook is one of exclusivity. I don't think facebook events or groups are really attractive to users, or really do create new friendships, beyond the classical scenario of real life meeting. If you make new friends, it's not really thanks to facebook, because organizing an event can be done on any other platform, or even by email.
So it's true that user base matters a lot, but facebook seems to have little to no usefulness. It's just for messaging, posting photos, event exposure. It's just a very large myspace, with improved features, but it brings nothing new to the table.
facebook only brings delayed text, photo and video, while real time matters more.
You mean, except for FB Messenger (and Whatsapp, which should be included if one it talking about the company practices).
The second side is that as I've discussed already, there are no discovery feature on facebook.
I'm not a user, but AFAIK it does suggest friends to you. Plus, you often interact with friends-of-friends (e.g. through comments on posts of your friends), which does allow you to discover new people.
Facebook is like a phonebook with everyone I've met. I live away from where I grew up so often contact with friends has large gaps. I don't have everyone's email/phone and those change. To get them once they change I'd need a directory like Facebook.
Network effect and low friction is why it's useful but if everyone was on some other platform where I could find them by name I'd happily switch given I mostly use it for messaging and event planning.
I think anyone who argues it’s not useful or at least compelling is being disingenuous. None of this would even be an issue if Facebook wasn’t important to the infrastructure of modern life for billions of people.
I'd be totally fine without the routine of going to Facebook. My problem is that there's not a clear substitute for the specific typos of info I use it for, for the specific relationships I maintain through it, and for the reach I get for things I share.
I don't know if you have a fanpage or anything, but if you just do it personally, I have far more reach sharing on HN, reddit, and my personal site compared to Facebook.
The problem with Facebook other than bad privacy is that it doesn't take much to press the like button. Someone clicking like doesn't mean shit - maybe they're being nice to you. Most likely they're bored. Next 5 seconds their mind will be to something else. Plus, Facebook is ruthless to the freshness of things, so shit you spent a lot of time producing only gets a shot temporarily in the present and then imediatelly forgotten if they shared to 10 people and they don't care. You're not a creator, you're an easily replacacle cog in their system. I have had things that picked up long after I produced them on my site - I can't imagine doing that with Facebook.
FYI, I recently deactivated my Facebook account and found I could still use messenger. That seemed like a great compromise to me. I still have had to reactivate it a couple times for some third party login, but I deactivated again right after that.
How does Facebook distinguish between US and European users? Does it do it based in IP address? On GPS data it slurps up from mobile applications? On the manually selected city the user specifies that they live in? Facebook also operates a TOR service, how can it comply whilst not knowing where the user is signing in from? Does a European user who uses an American VPN become classified as an American user and vice versa? There is probably a business opportunity here somewhere to provide European data privacy as a service. It all seems pretty complicated.
If a company wants to operate in Europe and accept European customers, they abide by the law.
If they can't manage to figure out they're servicing european customers and protect their data according to the law, then they get fined substantially.
It might be complicated, but the onus is on the company not the user, making this Facebook's problem to resolve.
This seems a bit too dismissive to me. The notion of jurisdiction for a transaction or contractual relationship is indeed pretty complicated.
It isn't clear to me that the burden should be on the service provider to discern the legal domicile of a user and to be required to adjust its business practices to accommodate the regulations of their 'home' jurisdiction. Wouldn't that rapidly devolve into every service provider being required to operate within the rules of some extremely complicated intersection of all possible jurisdictions?
It is actually very simple. Ask the user. If the user says he lives in Berlin, then apply EU laws to his data. If Facebook tries to "discern" the domicile and incorrectly discerns the domicile then that's Facebook's problem.
> If the user says he lives in Berlin, then apply EU laws to his data. If Facebook tries to "discern" the domicile and incorrectly discerns the domicile then that's Facebook's problem.
I hope they do this, and don't try to cross-check against login IPs or anything. I just set my FB city and hometown to European ones to increase my chances of benefiting from the GDPR.
And what if the user says they live in <insert-evil-country-here>? Are you then required to apply the laws of <insert-evil-country-here>? If not, why not? Do I know need to understand the laws of every country in the world?
And how to you decide between <good-country>, <so-so-country>, and <evil-country>?
As of now, yes.
If <evil country> has any leverage on your company (you have a business presence there, you travel there, or they have access to your assets) you’ll need to comply with their rules for the users living there.
Why not? Presumably they're the ones seeking to make money off the user's data; I see no problem with putting the onus on them to protect the user's privacy as well.
I think you are changing the problem definition a bit.
"Protect the user's privacy" is not at all the same thing as "follow all the laws of the user's home jurisdiction".
If there is a legal obligation to follow the laws regarding privacy then what about any other laws? What about disclosure laws where service providers in the home country are required to disclose information to the government? Should the foreign service provider be required to follow those laws also? If not, why not?
I'm saying if that you argue that country-a service provider is required to follow the laws of a user from country-b, perhaps because you agree with the laws of country-b (regarding "protection of privacy" in this case), then that logic creates a problem when you don't like the laws of country-b or when they in fact conflict with the laws of country-a.
I was specifically responding the the assertion that "If a company wants to operate in Europe and accept European customers, they abide by the law" and pointing out that accepting that logic may not lead where you want it to lead.
Sure you can refuse to do business with customers from other countries, but now you have to have some process for determining what jurisdiction the user is from including figuring out how to protect yourself from a foreign jurisdiction that decides that you didn't do enough to discern the true jurisdiction of the user (who may have given incorrect information, clicked through the form, etc).
It is not obvious exactly what would be the best way to manage that risk.
If FB took the absolute safest approach, they'd apply the restrictions to any account that has been signed in from an EU IP address -or- which lists an EU address.
Have you been in a coma for the past 10 years? Facebook is a surveilance company, they know everything about you. Where you are physically located was probably the bits of informaiton they learned about you.
How can this be legal? I travel to Europe frequently for work. I use (well technically used) Facebook to stay in touch with people back home. But shouldn't my data be covered under GDPR if I've saved data from within the European Economic Area?
> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
It's not even resident, the bar is far lower. A US resident on holidays to europe is covered.
How is this enforced? For facebook, let's say, is all I have to do is change my country from a non-European country to a European country, and I'm good? Because that is a fairly easy line to cross.
I've asked about this before in another thread but didn't get anything useful for me. How can I get the benefit of being a EU resident, with respect to GDPR, while not physically being in the EU? What I'm asking for may probably sound like a fraudulent thing, but I value my privacy a lot, and if there are any steps I can consider to make myself come under GDPR (without moving to the EU), I'd like to know.
Using a VPN to connect to a location in Europe might work, if the company uses IP address to check whether a user is in the EU.
Of course, Facebook has other options (many users just tell them where they live, you can even fill out an address) so you could try claiming to live in the EU there, too.
Which is particularly interesting for me the next couple of election cycles, as I am a US citizen registered to vote back in the last place in the US I resided - and live in Germany, which was notable for its data protection laws even before GDPR.
I might have a moral obligation to use Facebook again.
This is less attractive when you realize that all big companies will have a non-European subsidiary pay a non-European component of facebook for all their advertising needs, which would hugely lower the revenue base that 4% is calculated from.
Cooperations have had 2 years meeting GDPR requirements.
If you're late to the party, which I think the majority businesses in and out of Europe are, means you have made other priorities.
Question is whether or not how hard they hit when GDPR goes live 25th of May. That remains to be seen, but it wouldn't surprise me if there's a `grace` period.
Even if you could somehow hide that, the penalty is 4% of global revenue or 20 million euros, whichever is higher. So That's still a very high fine since it's per violation and I'm sure I'm not alone in that I will be sending facebook, google and many other data companies these requests as soon as the law takes effect.
Of course you could simply comply with the law. It's only made to look super difficult by those that would like to avoid compliance. But in practice it is actually fairly reasonable and if you were a conscientious operator you most likely already had 90% or so of the technical measures in place long ago.
Maybe an unpopular opinion, but I think GDPR is not net good. It has its good parts, but overall it doesn't really improve security (think of all the big data breaches, GDPR wouldn't help there), but makes many things harder, especially for small companies and hence stifles innovation. Like the infamous "cookies law" but on larger scale. Governments pressure private companies with this, but in the same time are making it easier and easier for themselves (govmnts) to spy on people and infringe on people's privacy (in the name of fight against terrorism, or "for the children" etc)
GDPR is already reducing the number of data breaches before it has even come into existence. Try booking a pentest from a company with a good rep in Europe right now and see what answers you get. Companies have finally woken up to the fact that security is no longer optional, that's a good thing in my book.
GDPR can help advocates for privacy within an organisation. Rather than argue with nebulous harm from potential bad PR, you can say "If we don't do this, we risk a fine of $LOTS"
GDPR puts legal teeth with $MegaFines onto a lot of internal IT political battles beyond security, too.
Unified project processes, mandatory architectural reviews, IT-driven planning... if you're in a domain with lots of personal data the answer to why can't be cowboys and ignore IT 'just this one time' goes from "because we are trying to do IT right, dammit" to "because it's illegal" or "because the compliance costs are too high".
It actually mandates that you need to protect the data, and if it gets breached you need to notify the data subjects. So for example uber couldn't have a massive breach and just pay the hackers off and keep quiet.
The GDPR is a massive good for users of online services.
The basics of it aren't hard: build your systems to not store too much data you don't need, get permission for the data you store, make sure it's secure and make sure you can delete it when needed. I don't think that is too much to ask, do you?
EDIT:
> Governments pressure private companies with this, but in the same time are making it easier and easier for themselves (govmnts) to spy on people and infringe on people's privacy
Looking at how prism and other programs worked/works it seems like what GDPR encourage (Don't store what you don't need) would have actually helped against that.
With GDPR it will be harder to create a service that stores everything about you forever to be retrived by FISA or whoever, and simpler to create a service that just stores what it needs, and encrypts everything it can.
The counter to that is all you are left with is giant mega corps that can pay the associated costs. I'm not sure that this is a much better alternative
Or you'll end up with small business that don't make their money taking a garden rake across your personal data and bagging it up for the world to see.
I can't help but feel that the decisions behind `excluding these features globally` or `targeting these features specifically` are made for less than savory reasons.
I would understand if these features are available, though default to their 'current'/'non GDPR compliant' setting - but this does not seem to be the case.
Without an explanation how and why these decisions are being made, which is not 'legally' required; I think more and more users should question Facebook, and their motives.
“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” Reuters quotes Zuckerberg on the GDPR question.
I'd prefer "no comment atm" rather than this string of vague words, but then TC wouldn't have an article.
We're spending a lot of money finalizing our GPDR implementation right now. I wouldn't know how to not extend it globally. That would be significant additional work at this point.
This was my reaction: they're either even better programmers than I thought if they don't see bifurcating their approach to users based on temporal geographic locations or they're dumber than rocks.
Since it applies to all EU citizens, there's no way for them to filter geographically or they wouldn't be honoring the rights of expats or anyone travelling. I'm going with dumber than rocks.
Yeah, and I'm sure there are solutions smarter than I can imagine, where all user-generated data gets consumed through a pipe and it's just a matter of having guards that look at the combination of user data type and user location and filter it out. But it feels to me like there are still going to be a million little branching problems at places beyond the pipe.
I can't imagine it would be too hard for Facebook to extend the work they've done for GDPR to all other countries and am surprised they are choosing not to as it only puts them in a worse position with the American public and any other non-EU country that is privacy conscious.
Then you get into the quagmire of what is personal data, right? As in, how many clicks on external ads are considered personal data? IIRC the definition of personal data under GDPR is "any data or collection of data that when combined with any other data can uniquely identify you" (or at least that is what my company is operating under). So that means a lot more that what we traditionally see as "personal data".
I’m not sure I follow? By clicking on an advert you’re moving to a 3rd party with their own potential collection and collation of personal data, and their own opt-in requirements. It would be down to the advertiser at that point to receive consent from the user.
In this case the advertisers don’t get a choice. Under GDPR data subjects have to opt in to personal data collection and processing by third parties, and they can’t be denied access to the service for failing to opt in. The advertisers are going to have to get used to a new reality of mostly targeting page context.
Does anyone know how one can mark him/herself as a "European Citizen" on Facebook so that this GDPR protection applies? Not for me personally, asking for a friend.
A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.
It is based on where you and the business are at, not the users citizenship. If you are in the EU you are covered. If the business is in the EU you are also covered. Data being processed in the EU is covered (and transferring it to the US is also processing it). In other words the data is covered by the GDPR if it is inside the EU at any point.
EDIT: So to answer the question directly: No, if you use a US located business from outside the EU you aren't covered no matter your citizenship, unless the data is being processed in the EU at some point.
That does not appear to be correct in general, although it is correct in special cases.
Here's Article 3, "Territorial Scope", from the regulations.
---- begin quote ----
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
In the following, I'm going to say "company" rather than "processor or controller", and am going to say "EU company" or "non-EU company" instead of all that verbiage about established in the Union.
From (1) we have that an EU company has to apply GDPR everywhere to everyone.
From (2) we have have that a company, regardless of whether it is an EU company or a non-EU company, has to apply GDPR if it offers good or services to people in the EU or monitors their behavior in the EU.
(3) is just telling us that non-EU companies may also fall under (1) if international law says so.
Putting this together, it seems that for an EU citizen abroad they are under GDPR as far as EU companies are concerned, but are NOT under it for non-EU companies unless they are abroad somewhere where (3) applies. They are under it for non-EU companies only when being offered goods or services in the EU or when being monitored in the EU, so only when they are not abroad.
While that may be technically true, the specifics of the law would make it impossible to follow unless companies assumed everyone who visited their site was an EU citizen.
For example , using google analytics in many cases in the EU will now require opt-in consent, even for anonymous visitors. But unless a user registers and says, "hey, I'm an EU Citizen actually" you wouldn't know ahead of time. Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
> Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
That could be risky for EU users abroad or behind VPN's, no?
While I understand the 'plight' of companies who rely on data sucking in some way, this strikes me as a good reason to just assume everyone is from the EU and figure out how to make a profit despite that.
My unprofessional, based on nothing guess is that no one will be prosecuted for that kind of technicality, as there will be much bigger fish to fry of large companies totally flaunting major pieces of the law.
I don’t think that’s true with Google Analytics: the ToS there already prohibits you from storing personal data in it, so there are theoretically no GDPR implications if you’re doing it properly (e.g. /edit-account rather than /[username]/edit-account)
We've posted two conflicting answers to this question and I think that's indicative of how little the law is understood, only a few weeks from going into force.
Just because people on messageboards are posting different things, doesn't mean the law is unclear. GDPR Art 3 is relatively clear that it wouldn't apply just because an EU citizen is in the USA. Once that person is in the EU, then it applies.
Well I didn't necessarily say the law itself is unclear, just that the understanding of it as a whole seems to be unclear. Anecdotally, almost everyone I speak to at events seems to have different views on what they need to do. I'm in the EU.
I've never been a member, but I know they have a shadow profile of everyone. I blocked facebook and other tracking at the router some time ago, but am thinking of "showing up" from a European VPN in hopes they get spooked enough to delete my data.
As someone implementing GDPR right now on a news website, its going to come down to this...
We detect that traffic is coming from the EU so we treat you differently and ask for consent etc. If you are Non-EU its business as usual.
There are weird edge cases: If you are in the EU and use a VPN to appear to be in Virginia then we will not know you are really in the EU and you will get the non-GDPR treatment. Again, technically we can only do so much.
Has there been a discussion if it wouldn't be easier/cheaper to apply the GDPR rules for everyone?
I mean, if you keep the logs in the same place you will still need to scrub IP addresses from them and every other thing that comes with it, so wouldn't it be easier to treat everyone with the most strict privacy standard?
GDPR doesn't differentiate by citizenship. However it applies if the company is in the EU (which Facebook Ireland Ltd is, and (AFAIK) all non-USA & non-Canadian citizens have a contract with them), or if the person is in the EU.
No surprise there. But it may serve as yet another reminder that privacy protection can only result from laws and not from the mercy of Facebook and its ilk.
Doubt that lawmakers will really protect users. Think the only way to lead to substantive change would be for users to take collective action through protests [1]. Imagine how quickly the company would take action to make real changes to user privacy if a Facebook User strike took place...
So we get the people in charge of handling equifax and creating the nsa to create privacy laws? The only thing these laws will do is moat out competition who can't handle regulatory costs, which is likely why it's being supported in the first place.
... and suddenly legislation/coercion doesn't seem so bad if you value privacy as a path society should veer towards. It doesn't seem the market's doing its magic in our favor in this area.
I'm so glad I closed my FB account a while back. It has restored my sanity and I also don't have to worry about megalomaniacs such as Zuckerberg sifting through my data and selling it.
I think we should start a campaign and lobby our own government to pass a law similar to GDPR.
> I also don't have to worry about megalomaniacs such as Zuckerberg sifting through my data and selling it.
No, they track everyone across the web via their embedded pixels and create "shadow profiles." I have never joined Facebook, but they still know me. I block their tracking by blocking their various websites. I'm not sure that's enough as I understand they still buy data. In their defense, I don't think they sell my data, except perhaps to the NSA.
I don't see how shadow profiles can be justified under GDPR and ePrivacy. If have identifiable information (just "some" ID will do, but also IP and various other fingerprints) then you need to allow for deletion/takeout/opt-out. Current strategy of implied consent ("if you're on this site you agree") is strictly not allowed.
It's not. Well, as long as the GDPR applies. So, if we assume there are a 5 billion profiles on fb (2 billion actual users, and everyone else that use the Web at least occasionally - I'm not sure if 5 billion total is a bit high) - compliance with GDPR would render some 100s million high value profiles illegal. Applying the GDPR to the remaining profiles would require an entirely new business model for Facebook.
You may have closed your account with Facebook. They haven't closed their account with you. They maintain information on people who don't have accounts
> Zuckerberg said many of the tools that are part of the law, such as the ability of users to delete all their data, are already available for people on Facebook.
Uhm, do those tools actually delete the data though? Are they not required to under GDPR?
Disingenuous as always.
Gdpr requires a maximum grace period of 30 days to comply with the erase request.
Facebook holds your stuff for 90 days. Just as an example.
Data management is just a part of the law, by the way. Facebook is currently not complying with all the obligations about privacy by design and defaulting to opt-out.
And that's not even getting into logs or backups, which will probably be a problem to delete from for smaller companies (since I'm assuming that facebook couldn't keep logs or backups for 30 days since that would be massive)
“The vast majority of what is required here are things that we’ve already had for years across the world for everyone.”
My understanding is that GDPR would require a deep delete of user data from Facebook's systems. Anyone have info on how that would work with shadow profiles that Facebook creates on your behalf and without your consent? Seems like this would fall under the domain of GDPR. (Which also makes me think of just how misleading that quote is from Zuckerberg)
Yes. I've talked with some in the social media industry about addressing GDPR. What it means is a massive shift in the way data is handled.
What's the difference? Well, it's helpful to have some context on how data is used in a place like FB. Data originates (for the most part) with the user. It get's dropped in one of the many operational data sources that back the service. From there, it's mostly waiting to be used by someone for some reason, which might be a ML project or something else. So, then you will want to move the data. You'll make some sort of pipeline from the source to where you want to work, such as ETL the data you want out or set up some sort of messaging system to handle things in an online way.
Maybe now that you have the data, you'll share it with other people working on the project. The data might be distributed (best case) through an environment meant to work with the data (e.g., Spark/HDFS/Hadoop) or might just be sent piecemeal as CSVs. Once the project is done, the data might just be left in place. Who knows where those CSV's go?
One of the big requirements of GDPR is deleting an individual's data EVERYWHERE. And while the above is a sort of simplified view of user of data in a logical manner, I can assure you someone out there somewhere is doing something that doesn't make sense. In light of that, getting rid of a person's data everywhere is a HUGE architectural/infrastructural/process problem for a platform like FB.
That is because it is misleading. Under the GDPR, they would have to hard delete those shadow profiles. For everyone else, they would not delete that data.
Not only that, but any linkable information about that shadow profile will need to be scrubbed. So a photo of me and a friend which my friend has uploaded to facebook will need to have my face or other identifying details scrubbed or the photo deleted.
GDPR requires protection for all EU citizens regardless of location of the user or the data. This means that the millions of EU citizens living in the US have to be afforded the same protection, or FB faces very punitive fines.
It will be interesting to see how this plays out. Will FB require users to stipulate that they do not have an EU passport? What happens if we all say we have one? How would they verify that?
What if I am an Austrian citizen and resident traveling to the SF Bay Area? Does it still apply? (Not clear on how jurisdiction works in these sorts of cases)
I predict sign-up dialogs where you will have to unequivocally state if you're a EU resident or not - because there is next to no algorithmic way of making sure you're dealing with a EU resident.
> GDPR requires protection for all EU citizens regardless of location of the user or the data.
I haven't yet read the whole of GDPR, so maybe there is something further in that changes this, but based on Article 3 that does not to be the case. Here's an earlier comment of mine that quotes Article 3 and discusses this [1]. Here's a link to a nicely formatted online copy of GDPR [2].
It appears to require protection when either (1) the entity processing the data is in the EU or (2) the person whose data is being processed is in the EU.
Even if they did I doubt Facebook has enough of a handle on their data to avoid the fines for GDPR. They're infrastructure must be massive, and they have a big target on them. I can't say I feel bad for them.
GDPR applies to companies/orgs which are (i) based in the EU, or (ii) process personal data of people who live in the EU (regardless of where the corp/org is).
I think lots of EU law applies to residents, rather than citizens of an EU member state.
This is really the wrong time for Zuck to decide to not commit to literally any privacy request someone has.
They already have to meet GDPR in Europe, it's actually easier to not maintain two separate sets of rules, so the decision to not give people worldwide the same protections as in Europe is an intentional choice to do more work to give people less privacy.
Facebook's fear isn't privacy requests made directly by individuals (likely a tiny number), but rather privacy requests made programmatically, on behalf of users, by third party services who can use clever marketing and growth hacks to scale quickly. There are some interpretations of GDPR that would allow this broadly and it could create some meaningful competitive scenarios.
I don't know that much has been written about this yet, but consider data portability as one example. If an EU court rules that Facebook must allow extraction of a social graph with an email address and consistent ID included for each contact, it dramatically weakens their network effect and lowers the barriers to on-boarding users onto competing social networks.
In that scenario I could also write a quiz app that gives you your personality based on that export. That would be an amazing data set for a researcher at e.g. Cambridge and an example of the EU supporting researchers.
I would trust Zuckerberg to understand better if something is easier or harder to implement at Facebook. Also considering that they make money from data, it might be very expensive to throw away everybody's data.
Sure it does. Data is an asset from which they derive revenue. Implementation of rules is just a cost. Throwing away a huge asset would also reduce revenue.
You’re missing the distinction between easy and profitable.
Going back to the top of the thread, the idea was that this is a decision that looks bad in a moment where everyone’s looking at Facebook.
If extending the behaviour worldwide were a difficult engineering feat, that’d provide a simple outward justification for Facebook to not bother.
But in reality, It’s more difficult to keep the two systems around.
Taking that path implies that Facebook actively benefits from breaking the EU law, and justifying it outwardly in the current climate means establishing how the EU law actively harms Facebook’s users... while not admitting that they violate user’s privacy, and profit from doing so.
[And as others have suggested... even if it’s the right move to implement things this way — it makes ~0 sense to draw attention to it.]
Indeed they will set up so they can meet the letter of the law of GDPR. They just will look at the GeoIP of where the submittion was made, and rote deny if out of European jurisdiction.
This is actually a legitimate business decision, as there is a linear cost to servicing each request - letters need to be read manually, likely escalated to counsel in all but "boilerplate" cases, and executed by vetted (and expensive) individuals with strict security training.
Now, could Zuck have said something more articulate than “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing?” Absolutely. He could have said "we'll be working to create a streamlined interface for people to achieve many of the most important benefits enjoyed by EU residents under the GDPR, without requiring them to jump through legal hoops and read a 90-page law to format a request correctly. This is all in progress, but we're committed to making radical transparency accessible to our users." Then there could have been positive spin. But instead the "less is more" approach leads to articles that assume the company to be operating in bad faith.
GDPR actually applies to all EU citizen data, regardless of where the citizen resides.
"If your enterprise has a presence on the internet in the form of a website and if your enterprise collects personal data from customers regardless of where those customers are located, it is subject to the provisions of the GDPR." [1]
> So will users have to set a new site-wide "citizenship" setting on their profile?
What about users who have two or more citizenships? What about users who have none? What about users who have citizenship only in countries the site doesn't recognize?
> Short of actually requiring you to upload your passport
Given that this is about the GDPR, wouldn't that only make things worse for the site? Edit: also, what about people who have neither a passport nor an identity card?
> What about users who have two or more citizenships?
As long as one of them is in the EU, the GDPR would presumably apply. Generally you get all the rights (and responsibilities) of all your citizenships should you have multiple. Even without multiple citizenships this often arises since you have have rights as a resident in one country, while having a single citizenship in another country.
> What about users who have none?
The GDPR would not apply.
> ... what about people who have neither a passport nor an identity card?
The easy out would be to allow the GDPR benefits to anyone who claimed to be from the EU, without requiring them to prove it. This would be compatible with the GDPR, although it might allow some "leakage" (from Facebook's perspective) in that people outside of the EU might fraudulently claim the GDPR benefits.
> also, what about people who have neither a passport nor an identity card?
Not possible. Can't say 100% about all countries, but in my country it's a must to have either passport or ID once you hit 16. There's even a small fine if you don't take out or renew personal document on time.
US and their passport-less life looks very strange from Europe. You can't do anything without ID in EU. No bank account, no employment, no driving license and the list couldgo on and on.
That's not true in the UK, there's no ID card here. IMO it's quite a nuisance, for example you need to always bring 2 documents to verify your identity and address for a variety of situations (opening a bank account, even opening a new savings account at the SAME bank, renting a new place, new job, mortgage, requesting information from the government).
Don't get me started on the UK and the ID card. It's stupidity at the highest level. There is a de-facto "ID", your national insurance number (like a social security number). Except it has no ID features, and cannot be changed. So much, much worse than an ID card. As far as practical ID for bars/clubs, people usually just use a driving license, or are forced to use a passport. Complete idiocy.
(However to get back onto topic, most people in the UK will have a passport, otherwise they should have a NINo allocated at birth. For the people who have neither, the GDPR is the least of their worries.)
Fun fact, in Lithuania people are allocated personal number (similar to NINo?) on birth. ID and/or passport is mandatory regardless.
However, personal number is not guaranteed to be unique because of how it's issued. We have funny stories once in a while when people with similar (or even identical) names happen to have same personal number. A photocopy of ID in important governmental or banking actions.
Same here: I'd already made the decision that I want to move to an EU country, GDPR just makes me want to accelerate that so I can get in on the action sooner. It's not the only, or the biggest reason of course, but it's a nice benefit.
If there has to be a new citizenship profile setting will the following be acknowledged? Taiwan and Palestine both have heavily contested status by the nation states that refuse them.
The specifics is an implementation detail, but as an european citizen (residing anywhere) you have rights under the GDPR and should assert those rights.
It should be noted that merely being accessible in the EU doesn't automatically make the GDPR apply to a site, although the line is not sharply delineated.
> What happens if a site operator in Iowa just ignores it.
Other European businesses, will be banned from doing business with them. For facebook they can stop them buying advertising space, for others they might issue orders to block payments to them. Some small players in Iowa may still get away from things but no one notable will.
Having GDPR applied in USA also is arguable a positive thing, so why not entertain the idea, or at least leave the door open rather then prematurely shut any efforts down? Maybe its best for Mark Zuckerberg to take a break. It might help him to step back and see the big picture, what happened at Facebook is the perfect example of Normalization of Deviance: http://lmcontheline.blogspot.com/2013/01/the-normalization-o...
> I'm not sure I'd want to have Chinese law applied to me here in the US
Facebook could incorporate the bulk of the EU's GDPR into its privacy policy without violating U.S. law. The same could not be said of Chinese policies.
> This is really the wrong time for Zuck to decide to not commit to literally any privacy request someone has
Forget decide--why did he feel the need to make a personal announcement? He is too busy to testify in front of the United Kingdom's MPs [1]. Yet he can find time to personally throw dirt on the EU's privacy rules?
For the head of a social network, this man is shockingly clueless.
When national legislatures call people to testify, that's not a neutral information-gathering exercise. The MPs are going into that panel with a very clear idea of what the witness is going to say, and how they can spin it towards their preferred talking points. Zuckerberg isn't a UK citizen and didn't authorize any misconduct specific to the UK; why should he personally participate in Parliament's ritual shaming of Facebook?
> why should he personally participate in Parliament's ritual shaming of Facebook?
Because it sends a bad message, and Parliament et al have the ability to materially affect facebook's revenue by passing & enforcing laws like the GDPR etc
it's actually easier to not maintain two separate sets of rules
The GDPR version of Facebook really can’t function as a social network - at least not the kind of social network that we would recognize today. So it may be easier to have one version, but that’s not going to happen, and it would be a disservice for the 99% of users that don’t care about privacy but do care about all of the features they are going to have to give up.
There seems to be a strange friction between this statement and the reasoning behind it. You say GDPR's restrictions on collecting more information than necessary or storing it longer than necessary would prevent Facebook from functioning as a social network — but if that's the case, then it sounds like the data collection and retention was necessary after all. Am I missing something here?
The problem is that we don’t know. It doesn’t specify a definition of necessary. Necessary for whom? It isn’t necessary for Facebook to solicit people to make wall posts, so arguably they’d run afoul of the law by simply offering the option to do so.
My point was that the law leaves massive room for interpretation. The threat of aggressive application and interpretation of this law could deliver significant leverage to the EU over these companies in matters reaching far beyond privacy.
