Facebook: We’ll implement GDPR privacy protections globally

Contradicting an earlier report from Reuters, Facebook CEO Mark Zuckerberg told the press today that he was going to bring General Data Protection Regulation (GDPR) privacy protections to all users globally. He expressed support for GDPR and its consumer data privacy protections.

The significance of Zuckerberg’s global embrace of GDPR cannot be overstated. His commitment now puts pressure on Google and other major ad platforms in the US to make similar moves.

The decision by Facebook today likely has multiple motivations:

• Strengthening user confidence in privacy.
• Boosting the company’s public image in the wake of Cambridge Analytica data scandal.
• Blunting calls for new privacy regulation in Washington and in US states.
• Shutting down rivals’ critiques of Facebook’s privacy policies.
• Simplifying GDPR compliance so there aren’t different approaches in different regions.

It may also partly reflect Mark Zuckerberg’s personal feelings of responsibility in the wake of Russian meddling in the 2016 presidential election and the exploitation of Facebook users’ data by unscrupulous actors and marketers seeking to manipulate voters.

Facebook also said today that Cambridge Analytica likely accessed data from more than the 50 million user accounts earlier reported. The number mentioned today was 87 million [see postscript below].

The central directives of GDPR require data controllers (those capturing data from consumers) to obtain opt-in consent for personal data collection and usage. GDPR also places strict limits on data uses for which privacy is not explicitly obtained. And it gives consumers much more control over their data than they currently enjoy.

Financial penalties for violations are potentially severe, based on a calculation of 4 percent of annual global revenue or €20 million — whichever is greater.

Much of the debate about GDPR on this side of the Atlantic has been hypothetical or academic, with many companies and marketers treating the new privacy regulations as something happening “in Europe” and not applying to the North American market or data collection practices here.

It’s extremely unlikely that any new national legislation or regulations resembling GDPR will come to pass in the US. But with Facebook’s commitment to apply GDPR standards globally, the company may have set in motion something equally powerful.

Postscript: Based on feedback and questions we received, we wanted to clarify the numbers cited above:

The first reference to “50 million users” appears to have come from a report in The NY Times citing former Cambridge Analytica employees and “documents”:

So the firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history.

The 87 million figure released today by Facebook is apparently the company’s worst-case scenario estimate. Facebook is not saying that 87 million users were actually impacted. Rather it estimated that’s the maximum who could have been affected; Facebook also asserted the numbers “could be less.”