This is really the wrong time for Zuck to decide to not commit to literally any privacy request someone has.
They already have to meet GDPR in Europe, it's actually easier to not maintain two separate sets of rules, so the decision to not give people worldwide the same protections as in Europe is an intentional choice to do more work to give people less privacy.
Facebook's fear isn't privacy requests made directly by individuals (likely a tiny number), but rather privacy requests made programmatically, on behalf of users, by third party services who can use clever marketing and growth hacks to scale quickly. There are some interpretations of GDPR that would allow this broadly and it could create some meaningful competitive scenarios.
I don't know that much has been written about this yet, but consider data portability as one example. If an EU court rules that Facebook must allow extraction of a social graph with an email address and consistent ID included for each contact, it dramatically weakens their network effect and lowers the barriers to on-boarding users onto competing social networks.
In that scenario I could also write a quiz app that gives you your personality based on that export. That would be an amazing data set for a researcher at e.g. Cambridge and an example of the EU supporting researchers.
I would trust Zuckerberg to understand better if something is easier or harder to implement at Facebook. Also considering that they make money from data, it might be very expensive to throw away everybody's data.
Sure it does. Data is an asset from which they derive revenue. Implementation of rules is just a cost. Throwing away a huge asset would also reduce revenue.
You’re missing the distinction between easy and profitable.
Going back to the top of the thread, the idea was that this is a decision that looks bad in a moment where everyone’s looking at Facebook.
If extending the behaviour worldwide were a difficult engineering feat, that’d provide a simple outward justification for Facebook to not bother.
But in reality, It’s more difficult to keep the two systems around.
Taking that path implies that Facebook actively benefits from breaking the EU law, and justifying it outwardly in the current climate means establishing how the EU law actively harms Facebook’s users... while not admitting that they violate user’s privacy, and profit from doing so.
[And as others have suggested... even if it’s the right move to implement things this way — it makes ~0 sense to draw attention to it.]
Indeed they will set up so they can meet the letter of the law of GDPR. They just will look at the GeoIP of where the submittion was made, and rote deny if out of European jurisdiction.
This is actually a legitimate business decision, as there is a linear cost to servicing each request - letters need to be read manually, likely escalated to counsel in all but "boilerplate" cases, and executed by vetted (and expensive) individuals with strict security training.
Now, could Zuck have said something more articulate than “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing?” Absolutely. He could have said "we'll be working to create a streamlined interface for people to achieve many of the most important benefits enjoyed by EU residents under the GDPR, without requiring them to jump through legal hoops and read a 90-page law to format a request correctly. This is all in progress, but we're committed to making radical transparency accessible to our users." Then there could have been positive spin. But instead the "less is more" approach leads to articles that assume the company to be operating in bad faith.
GDPR actually applies to all EU citizen data, regardless of where the citizen resides.
"If your enterprise has a presence on the internet in the form of a website and if your enterprise collects personal data from customers regardless of where those customers are located, it is subject to the provisions of the GDPR." [1]
> So will users have to set a new site-wide "citizenship" setting on their profile?
What about users who have two or more citizenships? What about users who have none? What about users who have citizenship only in countries the site doesn't recognize?
> Short of actually requiring you to upload your passport
Given that this is about the GDPR, wouldn't that only make things worse for the site? Edit: also, what about people who have neither a passport nor an identity card?
> What about users who have two or more citizenships?
As long as one of them is in the EU, the GDPR would presumably apply. Generally you get all the rights (and responsibilities) of all your citizenships should you have multiple. Even without multiple citizenships this often arises since you have have rights as a resident in one country, while having a single citizenship in another country.
> What about users who have none?
The GDPR would not apply.
> ... what about people who have neither a passport nor an identity card?
The easy out would be to allow the GDPR benefits to anyone who claimed to be from the EU, without requiring them to prove it. This would be compatible with the GDPR, although it might allow some "leakage" (from Facebook's perspective) in that people outside of the EU might fraudulently claim the GDPR benefits.
> also, what about people who have neither a passport nor an identity card?
Not possible. Can't say 100% about all countries, but in my country it's a must to have either passport or ID once you hit 16. There's even a small fine if you don't take out or renew personal document on time.
US and their passport-less life looks very strange from Europe. You can't do anything without ID in EU. No bank account, no employment, no driving license and the list couldgo on and on.
That's not true in the UK, there's no ID card here. IMO it's quite a nuisance, for example you need to always bring 2 documents to verify your identity and address for a variety of situations (opening a bank account, even opening a new savings account at the SAME bank, renting a new place, new job, mortgage, requesting information from the government).
Don't get me started on the UK and the ID card. It's stupidity at the highest level. There is a de-facto "ID", your national insurance number (like a social security number). Except it has no ID features, and cannot be changed. So much, much worse than an ID card. As far as practical ID for bars/clubs, people usually just use a driving license, or are forced to use a passport. Complete idiocy.
(However to get back onto topic, most people in the UK will have a passport, otherwise they should have a NINo allocated at birth. For the people who have neither, the GDPR is the least of their worries.)
Fun fact, in Lithuania people are allocated personal number (similar to NINo?) on birth. ID and/or passport is mandatory regardless.
However, personal number is not guaranteed to be unique because of how it's issued. We have funny stories once in a while when people with similar (or even identical) names happen to have same personal number. A photocopy of ID in important governmental or banking actions.
Same here: I'd already made the decision that I want to move to an EU country, GDPR just makes me want to accelerate that so I can get in on the action sooner. It's not the only, or the biggest reason of course, but it's a nice benefit.
If there has to be a new citizenship profile setting will the following be acknowledged? Taiwan and Palestine both have heavily contested status by the nation states that refuse them.
The specifics is an implementation detail, but as an european citizen (residing anywhere) you have rights under the GDPR and should assert those rights.
It should be noted that merely being accessible in the EU doesn't automatically make the GDPR apply to a site, although the line is not sharply delineated.
> What happens if a site operator in Iowa just ignores it.
Other European businesses, will be banned from doing business with them. For facebook they can stop them buying advertising space, for others they might issue orders to block payments to them. Some small players in Iowa may still get away from things but no one notable will.
Having GDPR applied in USA also is arguable a positive thing, so why not entertain the idea, or at least leave the door open rather then prematurely shut any efforts down? Maybe its best for Mark Zuckerberg to take a break. It might help him to step back and see the big picture, what happened at Facebook is the perfect example of Normalization of Deviance: http://lmcontheline.blogspot.com/2013/01/the-normalization-o...
> I'm not sure I'd want to have Chinese law applied to me here in the US
Facebook could incorporate the bulk of the EU's GDPR into its privacy policy without violating U.S. law. The same could not be said of Chinese policies.
> This is really the wrong time for Zuck to decide to not commit to literally any privacy request someone has
Forget decide--why did he feel the need to make a personal announcement? He is too busy to testify in front of the United Kingdom's MPs [1]. Yet he can find time to personally throw dirt on the EU's privacy rules?
For the head of a social network, this man is shockingly clueless.
When national legislatures call people to testify, that's not a neutral information-gathering exercise. The MPs are going into that panel with a very clear idea of what the witness is going to say, and how they can spin it towards their preferred talking points. Zuckerberg isn't a UK citizen and didn't authorize any misconduct specific to the UK; why should he personally participate in Parliament's ritual shaming of Facebook?
> why should he personally participate in Parliament's ritual shaming of Facebook?
Because it sends a bad message, and Parliament et al have the ability to materially affect facebook's revenue by passing & enforcing laws like the GDPR etc
it's actually easier to not maintain two separate sets of rules
The GDPR version of Facebook really can’t function as a social network - at least not the kind of social network that we would recognize today. So it may be easier to have one version, but that’s not going to happen, and it would be a disservice for the 99% of users that don’t care about privacy but do care about all of the features they are going to have to give up.
There seems to be a strange friction between this statement and the reasoning behind it. You say GDPR's restrictions on collecting more information than necessary or storing it longer than necessary would prevent Facebook from functioning as a social network — but if that's the case, then it sounds like the data collection and retention was necessary after all. Am I missing something here?
The problem is that we don’t know. It doesn’t specify a definition of necessary. Necessary for whom? It isn’t necessary for Facebook to solicit people to make wall posts, so arguably they’d run afoul of the law by simply offering the option to do so.
My point was that the law leaves massive room for interpretation. The threat of aggressive application and interpretation of this law could deliver significant leverage to the EU over these companies in matters reaching far beyond privacy.
They already have to meet GDPR in Europe, it's actually easier to not maintain two separate sets of rules, so the decision to not give people worldwide the same protections as in Europe is an intentional choice to do more work to give people less privacy.