Facebook would not pass strict new data regulations from the EU, in a further blow to the already beleaguered social media giant and founder Mark Zuckerberg.
Facebook’s carelessness concerning private data has been reported upon extensively in light of the Cambridge Analytica scandal. There is one notable aspect of this issue that has not been widely dealt with, however, which concerns the EU’s new data regulation standards.
Next May, the EU will officially apply a new set of stringent regulations, the General Data Protection Regulation (GDPR), to all those storing and processing personal data concerning EU citizens. The rules will also apply to companies based outside the EU, but whose customers include EU citizens.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.
Penalties for violating GDPR:
The GDPR will extend its jurisdiction to all companies that store and process EU citizens’ data, regardless of where the company is based.
Companies can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and understandable language. It must be as easy to withdraw consent as it is to give it.
On 29th January, Facebook published the following statement,
Facebook takes data protection and people’s privacy very seriously and we are committed to continuing to comply with data protection laws….At Facebook, preparations are well underway to ensure that our products and services comply with the GDPR. Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR…We are committed to transparency, control and accountability.
Facebook’s statements concerning “control” and “accountability”, are particularly interesting,
We’ll continue to provide people with controls over how their data is used. To build on this, we’re simplifying the design of our privacy settings in a new control centre. We’ll also provide refreshers for people as they use Facebook, such as reminders that pop up in News Feed about how to double-check your settings.
We are accountable for our privacy practices, which includes updating our existing compliance program to ensure that we are adequately documenting our GDPR review and compliance. We are also meeting with regulators, legislators, experts and academics from around the world to seek feedback.
Playing with, and profiting from, the human ego
Those of you who still think that Mark Zuckerberg, the founder of Facebook, is a philanthropic well-doer whose sole aim is to make a better world, have severely underestimated the hidden motives of a man who stores your holiday snapshots, knows your friends, and shares your political opinions and secret desires with others. The man is probably a genius but is also a shrewd businessman. He is playing with and profiting from, a universal source of income derived from our technological world – the human ego.
The fact that Cambridge Analytica stole Facebook personal data from unsuspecting American citizens does not change the fact that Facebook is guilty, and is nowhere near complying with GDPR regulations. Facebook knew about the breach, as far back as 2015. Under GDPR Artice 33, companies have to report any data breach to the competent authority, within 72 hours from the time of its discovery.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it…
Facebook has sold off personal data, for years, without the consent of its users, and has received generous commissions for doing so. The fact that the personal data of millions of American voters found its way into Donald Trump’s presidential campaign mailbox, via Cambridge Analytica, doesn’t change the fact that Facebook is still to blame. Having gathered user data in the first place, Facebook is considered under GDPR to be the “controller” who, “alone or jointly with others, determines the purposes and means of the processing of personal data.” (GDPR Art 7)
Even if Facebook were found to be guilty, and fined 4% of its income, according to the new rules, the fine would be insignificant when compared to Facebook’s global post-tax revenue which, in 2017, amounted to just under $16 billion.
Facebook’s attitude towards the privacy of its members, is undermining the very concept that it is trying to promote – democracy and social cohesion, in a safe environment. Facebook users freely choose to share certain information about themselves on the platform, but expect, and deserve, that this information stays within the confines of the users’ agreement with Facebook, unless they specifically consent otherwise.
Facebook will have to adapt to GDPR if it is not to suffer sanctions from Brussels and lose its credibility.
First and foremost, Facebook will be unable to use personal data for advertising purposes, without specific user consent, and not deny access to users who refuse to accept all its services. Concerning consent, Recital 32 of the GDPR states that,
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website… Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
I was curious about this and opened the Ad Controller on my Facebook account. These are settings that control the way Facebook sends me advertisements that suit my profile. To my surprise, all the boxes were ticked. Either I cannot remember ticking them, or they were pre-ticked boxes.
Are carrier pigeons safer for sending messages, than encrypted emails?
As a healthcare worker, I must give written information on why I collect personal data, what I use it for, and what my patients can do about it. Everything must be explicitly clear and written for the records. This includes a detailed description of what happens to personal data, when sent to third parties, such as insurance and billing companies, as well as emails to and from colleagues. In this way, the personal data that is gathered should not serve any other purpose than that specified to the user. The amount of data collected should be up-to-date and comprise no more than a strict minimum to maintain an adequate service that the user, or customer, has signed up for. The implementation of GDPR is so complicated that I seriously considered acquiring carrier pigeons, instead of sending encrypted emails. Quite safe, I thought, as long as they land in the right place and don’t get maimed by the cat, living at number 10.
Another controversial GDPR issue is of particular importance to all those using Facebook. It concerns the user’s “right to erasure”, or “right to be forgotten”, detailed in the GDPR’s Article 17. The regulations will allow people to ask for their data, including IP addresses and internet cookies.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…
Thus, if you decide to close your Facebook account, Facebook will be obliged to comply because, “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,” and, “the data subject withdraws consent on which the processing is based.” Third parties, who have also accessed and copied the data, are also obliged to erase it, after being informed by the controller, to do so.
But do you disappear from Facebook, once you delete your account? According to Chris Shrader, former Facebook consultant, the answer is a categorical “no”.
Hive (a tool within the Hadoop platform which Facebook uses for analyzing and storing data) literally doesn’t allow you to delete individual records from tables, because it is simply a limitation of the technology. The only way to delete your data would be to delete everyone’s data.
The upcoming GDPR is a logical conclusion to a digital dream that still has the potential to turn into a nightmare. However, even stringent rules, which are well thought out, will only be as strong as their enforcement. This is of paramount importance when trying to control and regulate companies, such as Facebook and Google, whose sheer size escapes us, and whose data – our data – threatens to disappear in the cloud. For Mark Zuckerberg, Facebook’s data leak was, “a major breach of trust.” His company, though, has undoubtedly lost face. As for the rest of us – his clients – it might be a question of a few stolen photobooks, and us receiving a few unsolicited emails and advertisements, containing advice on how to vote in a presidential election, or in a referendum.