If the General Data Protection Regulation, the European law is designed to empower users to control their data, was to come into effects this instant almost 1.9 billion Facebook users would be empowered by it. The social media giant wants none of that and is making changes to ensure that the number is much smaller.
A week after company founder and CEO Mark Zuckerberg spoke a big game in the US Congress about extending GDPR protection to all its users around the world Facebook is reportedly working behind the scenes to minimise the impact of the sweeping privacy regulation by altering elements of its Terms of Service (ToS). Reuters reports that while earlier all Facebook users were governed by ToS agreed with the company’s international headquarters in Ireland. Facebook, like many other US tech companies, established an Irish subsidiary in 2008 to take advantage of the country’s low corporate tax rates, routing through it revenue from some advertisers outside North America. Problem is that Ireland is part of the EU and therefore this will force these ToS to comply with the GDPR. Next month, Facebook is planning to make that the case for only European users, meaning 1.5 billion members in Africa, Asia (including India), Australia and Latin America will not fall under the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25.
Facebook has confirmed this move to Reuters. This shows that the social media company is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent. And those fines can be really steep with the law allowing for penalties of up to 4% of a company’s global annual revenue for infractions, which could be billions of dollars in Facebook’s case.
Spirit but not letter of the law
In a statement given to Reuters, Facebook played down the importance of the terms of service change, saying it plans to make the privacy controls and settings that Europe will get under GDPR available to the rest of the world. “We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland,” the company said.
The company told Reuters that its rationale for the change was related to the European Union’s mandated privacy notices, “because EU law requires specific language.” For example, the company said, the new EU law requires specific legal terminology about the legal basis for processing data which does not exist in US law.
The argument here is that Facebook plans to adhere to the spirit of the law rather than the letter of it. But by moving to avoid any form of liability that comes with breaking this law the above statement will hardly inspire any confidence. This change means the 1.5 billion affected users will not be able to file complaints with Ireland’s Data Protection Commissioner or in Irish courts. Instead, they will be governed by more lenient US privacy laws. For instance, certain types of users data such as browsing history is considered personal data under EU law but are not as protected in the United States.
Please click accept and move on
Facebook has said it will roll out its new GDPR complaint privacy control tools for users living in Europe this week. Elements of this will be expanded to other users around the world it seems, “Everyone – no matter where they live – will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook,” the company wrote in a blog post.
Facebook offered a preview these new tools and settings to journalists at its Menlo Park headquarters. Some of the responses coming out from reporters who had a chance to preview these settings does not inspire any confidence.
A report on TechCrunch slams the new tools for simply being a smoke screen and not doing enough to empower users. “With a design that encourages rapidly hitting the “Agree” button, a lack of granular controls, a laughably cheatable parental consent request for teens and an aesthetic overhaul of Download Your Information that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data,” the TechCrunch report pointed out.
Sandy Parakilas, a former Facebook operations manager who warned the company about privacy issues, told Wired that, Facebook appears to want to comply with the letter of the European rules while changing as few of its data-handling practices as possible. “Everything about the page is designed to manipulate you into doing the thing they want. The goal of the design exercise is to get you to accept, and not go into your settings and turn things off.”
TechCrunch’s report offers a detailed breakdown of everything that is wrong with Facebook new privacy consent flow design, it is a must-read. The core criticism mentioned in the report is that Facebook gives people the appearance of choice and then carefully directs users to make the “right one” (the “right one” is the choice that serves Facebook’s interest the best). Facebook has designed the entire consent flow to get users to simply agree to share all their information. This is most apparent in the persistent appearance of giant blue buttons: “Accept and Continue”; “Continue”; “Save.” while negative responses are buried in tiny hyperlinks.
Take a look at the image above, this is Facebook’s new Terms of Service agreement. Notice that the only easily visible response is asking you to accept the terms, that is done on purpose. The option to reject the new Terms of Service isn’t even a button, it is buried in a tiny “see your options” hyperlink. This shows that while Facebook is taking your consent (it is being forced to) it wants to direct you towards choices the company would prefer while cloaking the alternatives.
Offering choices that are visibly equal in weight, instead of burying alternatives in greyed-out buttons and tiny hyperlinks, would have been the fair choice to offer users. It would have helped Facebook reiterate the commitments made by its CEO to lawmakers and the public and it would have made Facebook a progressive company that works to protect its users. But Facebook seems to be putting all its efforts into appearing sincere and progressive rather than acting that way, which is a real shame.