Facebook sneakily shifts data of 1.5 billion users away from Europe and GDPR
Following the Cambridge Analytica scandal, the spotlight of privacy has been firmly on Facebook. The social network has made numerous promises about offering greater privacy controls to users, and after fears that Europe would end up with greater controls because of GDPR, Facebook then revealed similar tools will be rolled out around the world.
Just a few days ago, the company gave a little more information about these new privacy controls, boasting that it will soon be "offering new privacy protections to everyone, no matter where you live". Sounds great. But it's not -- strictly speaking -- true. And Facebook is being very sneaky once again.
- Facebook reveals new privacy controls for users around the world
- Facebook: Yep, we track non-users -- but everyone else is doing it, so why shouldn't we?
- Facebook Messenger issues a privacy review reminder to users
- Privacy: Facebook will roll out GDPR controls to the whole world, not just Europe
With Mark Zuckerberg having indicated in an interview earlier this month that people around the world would be getting "in spirit, the whole thing" [GDPR], hopes were high that this might be exactly what happened. But it seems unlikely to be the case. Facebook has taken the decision to move the data of 1.5 billion users away from Ireland where it is currently stored -- and where it would be subject to the letter of GDPR law -- to the US where privacy laws are much less strict.
While Facebook could argue that moving the data for non-US, non-Canadian, non-European users away from GDPR jurisdiction does not mean GDPR-style privacy controls won't be given to everyone, it's little surprise that there's suspicion at the action.
Importantly, as pointed out by the Register, Facebook said that it would offer GDPR "controls" -- not "protections" -- around the world. This important word seems all the more significant following the massive shift of data -- something privacy researcher Lukasz Olejnik says "is not a simple copy-and-paste exercise".
Facebook says the move was made because of a European requirement to use certain language in mandated privacy notices, which is not required in the US. In a statement given to the Guardian, Facebook says: "We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that."
This is a major and unprecedented change in the data privacy landscape. The change will amount to the reduction of privacy guarantees and the rights of users, with a number of ramifications, notably for for consent requirements. Users will clearly lose some existing rights, as US standards are lower than those in Europe.
Data protection authorities from the countries of the affected users, such as New Zealand and Australia, may want to reassess this situation and analyse the situation. Even if their data privacy regulators are less rapid than those in Europe, this event is giving them a chance to act. Although it is unclear how active they will choose to be, the global privacy regulation landscape is changing, with countries in the world refining their approach. Europe is clearly on the forefront of this competition, but we should expect other countries to eventually catch up.
Whatever the real motivation behind the data move, Facebook is going to have a very difficult time convincing users that there's nothing suspicious about it.