On Friday, the European Union’s GDPR (General Data Protection Regulation) privacy regulation goes into effect. Many articles have been written complaining that the regulation is ambiguous, confusing and difficult to implement. These articles are right up to a point, but they miss the bigger picture. The GDPR is not just a set of rules. It is a set of political opportunities actors are battling to take advantage of to make sure that the ambiguities are interpreted in their favor rather than someone else’s.
Already, one of the major new battles is becoming clear. Facebook has accepted the GDPR but has deliberately interpreted it in a minimalist way. Privacy activist Max Schrems and his new organization NOYB (None of Your Business) have used the GDPR to launch four major court cases against Facebook and its subsidiaries. If Schrems’s interpretation prevails, Facebook’s business model will be fundamentally challenged.
Facebook has accepted GDPR … but only up to a point.
Over the past several months, Facebook has gotten a lot of terrible publicity. Russian “influence operations” may or may not have had much influence, but they were able to make liberal use of Facebook to circulate memes and try to widen divisions in the U.S. public. Cambridge Analytica used Facebook data to target millions of American voters. Facebook chief executive Mark Zuckerberg has embarked on a publicity tour to try to stanch the blood loss. One of his major talking points has been that Facebook takes privacy seriously — and is demonstrating its seriousness by adhering to the European Union’s GDPR. Zuckerberg has even talked of extending GDPR protections to customers in the United States.
However, Facebook’s commitment to GDPR is more limited than some of its public statements suggest. Facebook is going to apply only some GDPR protections worldwide. It has also changed its terms of service for 1.5 billion customers outside Europe and the United States, who used to have a relationship with Facebook’s European headquarters in Dublin, presumably to make sure that the GDPR does not apply to them. Finally, it has interpreted GDPR in a way that critics describe as minimalist, for example requiring customers to consent to Facebook’s data collection practices if they are to use Facebook at all.
Read the full piece at The Washington Post.