If a new European law restricting what companies can do with people’s online data went into effect tomorrow, almost 1.9 billion Facebook users around the world would be protected by it.
But the online social network is making changes that ensure the number will be much smaller.
Facebook members outside the United States and Canada, whether they know it or not, are currently governed by terms of service agreed with the company’s international headquarters in Ireland.
Next month, Facebook is planning to make that the case for only European users, meaning 1.5 billion members in Africa, Asia, Australia, and Latin America will not fall under the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25.
The previously unreported move, which Facebook confirmed to Reuters on Thursday, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.
That removes a huge potential liability for Facebook, as the new EU law allows for fines of up to 4 percent of global annual revenue for infractions, which in Facebook’s case could mean billions of dollars.
The laws do not stop at European boundaries, with those in the rest of the world bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
The change comes as Facebook faces scrutiny from regulators and lawmakers worldwide since disclosing last month that the personal information of millions of users wrongly ended up in the hands of political consultancy Cambridge Analytica.
The change affects more than 70 percent of Facebook’s 2 billion-plus members. As of December, Facebook had 239 million users in the United States and Canada, 370 million in Europe, and 1.52 billion users elsewhere.
Facebook, like many other US technology companies, established an Irish subsidiary in 2008 and took advantage of the country’s low corporate tax rates, routing through its revenue from some advertisers outside North America. The unit is subject to regulations applied by the 28-nation European Union.
In a statement, Facebook played down the importance of the terms of service change.
“We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland,” the company said.
Facebook chief executive Mark Zuckerberg told Reuters earlier this month that his company would apply the EU law globally “in spirit,” but stopped short of committing to it as the standard for the social network across the world.
For users of the social network in Europe, Facebook yesterday unveiled its changes for those under the auspices of the GDPR. European residents, for instance, will be able to see contact details for the company’s Data Protection Officer. Users in Europe and Canada would also be able to turn on facial recognition again, Facebook said.
The number of users caught up in the Cambridge Analytica scandal that kicked off the latest round of scrutiny into the social network now stands at 87 million.
When the scandal kicked off in March, the number of users impacted was said to be 50 million.
Zuckerberg fronted a joint session of the Senate Judiciary and Commerce Committees last week, and was warned not to let his site become a privacy nightmare.
“The story you’ve created represents the American dream,” Senator John Thune, a Republican from South Dakota and chairman of the Senate Commerce, Science and Transportation Committee, said to Zuckerberg. “You have an obligation to ensure that dream doesn’t become a privacy nightmare.”
“One reason so many people are worried about this incident is what it says about how Facebook works.”
The misuse of user data from social media is far from limited to Cambridge Analytica though.
On Wednesday, it was revealed that Localblox, a firm in the US state of Washington, had scraped together 48 million personal profiles from services such as Facebook, LinkedIn, Twitter, and Zillow without user consent, and left the data sitting on an AWS S3 storage bucket without a password.
A report published earlier this week said over 60 percent of surveyed organizations were likely to miss the GDPR compliance deadline, and only 7 percent reported being in full compliance.
“What is striking in this study is the lack of staff with GDPR expertise and an overall underestimation of the effort required to meet GDPR, which represents the most sweeping change in data privacy regulation in decades,” said Holger Schulze, CEO of Cybersecurity Insiders, which commissioned the study.
The Facebook CEO brushed aside the notion that Facebook has to rein in its quest for profit in order to restore user trust.
Amid the ongoing trust crisis, Facebook users get an easier way to download their data and new mobile privacy settings.
Here’s how the social media giant is updating privacy policies ahead of the EU’s new data law.
How do you permanently delete your Facebook account? It’s pretty easy. Facebook users can also deactivate their account for a temporary break.
Forrester analyst Jeff Pollard Jeff Pollard explains why Facebook’s data platform is a ripe target for hackers and cyber-criminals.