Number of words – 1,302<\/p>\n\n\n\n
\u201cWe believe that everyone around the world deserves good privacy controls,\u201d Mark Zuckerberg told the House Energy and Commerce Committee on Wednesday. \u201cWe\u2019ve had a lot of these controls in place for years. The [EU General Data Protection Regulation] requires us to do a few more things, and we\u2019re going to extend that to the world.\u201d<\/p>\n\n\n\n
Until recently, U.S. discourse largely claimed new EU privacy rules were more about European protectionism than data protection. But in the aftermath of the Cambridge Analytica scandal, the idea of a U.S. data protection law is suddenly appealing to many American legislators. Zuckerberg said repeatedly before the House as well as the Senate that he is open to regulation, but he also seemed to suggest that, thanks to Facebook\u2019s embrace of the new European law, it was almost unnecessary. He promised that Facebook will ensure that \u201call the same controls will be available around the world.\u201d Such a pledge sounds appealing, particularly given the fact that much of Congress has a self-regulatory soft spot. But what it actually means is neither straightforward nor as protective as it may sound.<\/p>\n\n\n\n
The controls he was referring to are part of Facebook\u2019s implementation of the EU General Data Protection Regulation\u2014GDPR for short. The bloc\u2019s refreshed rules on privacy and user control of personal data will become enforceable from May 25. Fearing headlines of fines of 4 percent of global turnover in the preceding year or 20 million euros (about $24 million), whichever is higher, firms the world over are scrambling to get their houses in order. All organizations that are either based in the EU or process personal data relating to EU residents, including U.S. firms, must narrowly define and properly communicate what they want to do with the data and ensure they have a lawful basis for doing it. The regulation spells out rules for explicit consent, which can\u2019t be bundled up with other terms and conditions, when sensitive data is collected and inferred, and it has to be as easy to withdraw permission as it was to grant. Companies must also swiftly comply with requests to obtain copies of personal data, to object to particular uses of it, or to have it erased (\u201cforgotten\u201d).<\/p>\n\n\n\n
When it comes to Zuckerberg\u2019s claim, the core thing to understand is the distinction between two types of Facebook user: the 239 million located in the U.S. and Canada, served out of Facebook in Menlo Park, California, and the 1.89 billion located elsewhere and served from Facebook Ireland. The 89 percent of users served from Facebook Ireland\u2014even those who don\u2019t live in EU countries\u2014will already benefit from the GDPR\u2019s legal protection, regardless of public promises, and can seek redress through European regulators and courts.<\/p>\n\n\n\n
Zuckerberg may want you to think that Facebook has decided to bring the remaining 11 percent up to parity. But that\u2019s not what\u2019s going to happen. Whenever asked to confirm whether Facebook would extend GDPR protections to the few locations they are not legally required, Zuckerberg was careful to respond that yes, they would extend GDPR \u201ccontrols.\u201d The difference is critical. Facebook\u2019s chosen \u201ccontrols\u201d are not the same as the GDPR. Instead, they are a highly restrictive interpretation of data protection law that does not reflect the depth of transparency, accountability, and control the regulation demands.<\/p>\n\n\n\n
Take the GDPR\u2019s right of access to personal data. Zuckerberg claimed to the House that everything users \u201chave in Facebook\u201d is available to download. Yet Facebook itself admits that this is untrue. Facebook Pixel code chunks, which make your browser reveal your identity on non-Facebook pages, are strewn across 30 percent of the web, and the company can also track users across smartphone apps. That information is stored in a nonanonymized format alongside user IDs in Facebook\u2019s \u201cHive\u201d big data analysis system. Even trivial examination of such data can reveal intensely private and intimate information on individuals\u2019 characteristics, lifestyle, and preferences. And this is an organization capable of far more than trivial analysis. This year, Swiss mathematician Paul-Olivier Dehaye submitted a written request to Facebook for data about the websites he had visited and what had been inferred about him. In response, the company said that while it could retrieve the information, pulling it out of the many parts of the complex Hive analysis system it had been placed across would \u201centail multiple hours of total computing time, across thousands of servers running in parallel.\u201d If Facebook offered everyone the ability to understand and control this data, it claimed, the \u201crequired computer processing power would greatly exceed that available to the Facebook group.\u201d The notion that the sheer amount of data and sophistication of analysis is so great as to limit a firm with a market capitalization of $400 billion (roughly the same as Norway\u2019s GDP) from finding a way to access it easily is worrying.<\/p>\n\n\n\n
Even in Europe, using access rights to find out what firms actually process about you\u2014usually highly fine-grained data about your habits, behavior, and location that you might not have imagined they even had\u2014is bewildering and time-intensive. First, you have to prove your identity, cope with countless attempts to defuse your request, and petition the EU regulator to take your concerns seriously. After that, you might get either an arbitrary selection of data (often in a lengthy but nevertheless incomplete PDF) or a legally suspect dead-end refusal. The penalties for violating European data protection law are now high, so if it applies to you and you truly know how to push, companies might give eventual consideration to your concerns.<\/p>\n\n\n\n
But in the U.S., there is no data protection authority to back you up. The idea that the voluntary \u201ccontrols\u201d Zuckerberg invoked will truly shine light on shadowy profiling practices is almost laughable. Facebook is far from the only villain: Similar \u201cwe can\u2019t find your data, but a hacker could\u201d excuses are commonly rolled out by even privacy-protective companies such as Apple, which stores all audio and transcripts users dictate to Siri for analysis but stubbornly refuses to provide user control.<\/p>\n\n\n\n
Facebook claims that access to such detailed data is not of use to the average consumer. Let us run our algorithmic systems over it, company leaders say, and we will give you a basic overview of the result. It\u2019s true that not all consumers are interested in or have a use for gigabytes of information about themselves. But that shouldn\u2019t be an excuse to let the firm paint a rosy picture about its tracking practices and the inferences they enable on both users and nonusers. Transparency around complex data and processing practices is useful, particularly to regulators and to civil society groups, who translate that information and ignite true public debate.<\/p>\n\n\n\n
If Facebook truly wanted to, it could give \u201cjoint data controller\u201d status to Facebook Ireland with regard to U.S. and Canadian users as well as the 89 percent it currently serves. This would give all Facebook users recourse to justice, enforcement of the GDPR, and legal rights beyond that of Zuckerberg\u2019s promised \u201ccontrols.\u201d Yet it\u2019s easy to imagine that politicians like Sen. Ted Cruz\u2014who in 2016 claimed that a largely bureaucratic change involving the organization that assigns domain names was tantamount \u201cto giv[ing] away control of the internet\u201d\u2014would bristle at that: Why should European courts determine the remedies available to American residents, for an American firm? Better would be to pass a similarly strong piece of legislation in the U.S. The global data protection agreement Convention 108, whose signatories extend beyond the European Union and the content of which is currently being modernized, provides a good start for this process. If the U.S. wants to steer the direction of digital policy in the global arena, it needs to step up to, not back from, the regulatory table.<\/p>\n\n\n\n