Why should companies like Facebook commit to applying GDPR globally?
Hasn't Facebook said it would give European data protection to all of their users?
Yes, but only in very vague language. In an initial reaction to the Cambridge Analytica scandal, Mark Zuckerberg declared that Facebook would apply the EU General Data Protection Regulation (GDPR) “in spirit” to their 2 billion users worldwide. When questioned by members of the US Congress, Zuckerberg declared that "[a]ll the same controls will be available around the world". Representative Green sought confirmation, asking: "And you commit today that Facebook will extend the same protections to Americans that European users — users will receive under the GDPR?", Zuckerberg responded "Yes, Congressman. We believe that everyone around the world deserves good privacy controls. We've had a lot of these controls in place for years. The GDPR requires us to do a few more things, and we're going to extend that to the world."On 17 April, Facebook issued an announcement about its GDPR changes, titled "Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live". Again, however, the language is legally vague and does not amount to a committment to apply GDPR globally.
Why should Facebook commit to applying GDPR globally?
All users should be entitled to the highest privacy protections no matter where they are based. Privacy is a fundamental human right and data protection is intrinsically linked to it. GDPR is not perfect, but it does provide enforcable rights and obligations. That's why the Transatlantic Consumer Dialogue - a coalition of more than 75 consumer protection and privacy orgnanisations in the US and Europe - sent a letter to Mark Zuckerberg, asking him to adopt same privacy standards for all consumers. Facebook is a company with global reach. If the company wants to demonstrate true commitment to protecting the privacy of users across the world, applying GDPR globally would be the most straightforward thing to do. Facebook is already required to implement GDPR for its users in the EU, and therefore should do the same for all users. Further, if there are national laws with higher data protection standards than GDPR, Facebook should respect these too.
Facebook is moving 1.5 billion users out of the reach of European data protection law. What does that mean?
As it stands, the company serves 239 million users that are located in the U.S. and Canada out of Facebook in Menlo Park, California. The rest of the world, that is 1.9 billion members in Europe, Africa, Asia, Latin America, and the Middle East are governed by terms of service agreed with the company’s international headquarters in Ireland. This means that Irish data protection law applies to their data and that users around the world have the same rights as users in the EU.
It has now been reported that Facebook is changing the terms of service for users outside the EU. This move will mean that new data protection laws (the GDPR) will not automatically apply to all 1.9 billion users outside the United States and Canada. This will likely result in lowering the existing standards of protection offered to these users.
But isn't Facebook changing company settings for users outside of Europe?
That's true, but GDPR is about so much more than just privacy settings. It's about the way in which personal data is being processed - it provides comprehensive protection including rights for individuals, stringent obligations on those processing data, and a regulatory and enforcement regime - including fines of up to 20 milion euros or 4% of a company's annual global turnover.
So how easy is it for Facebook to dodge GDPR requirements for those outside the EU?
Good question. Legally it is quite dubious that Facebook or other companies operating in Europe could sidestep their obligations under European data protection law by simply changing their terms of services. Whether or not European data protection law applies is not simply a matter of contract. It depends on a number of factors, including what happens with the data in practice, who is in control of it, and what their links are to the EU.
Currently, Facebook's terms of service make it clear that users outside the US and Canada are subject to an agreement with Facebook Ireland. What this means in terms of the company's responsibility for users data is detailed in Facebook's data policy. This policy explains that if you live anywhere except the US and Canada, the company responsible for your data (i.e. the data controller) is Facebook Ireland. In practice, this means that Facebook has to respect the rights and obligations under Irish (and therefore EU) data protection law.
Let's take a step back and explain what GDPR means for global companies like Facebook. The GDPR, which comes into effect on 25 May 2018 , applies to companies that are established in the European Union. It also has an extraterritorial scope, in that it also applies to companies that are not based in the European Union, but that offer goods and services to people in the EU, or that monitor the behaviour of people in the EU.
[Legal explaination below!]
Facebook's change in terms of service, relates to the first type of processing, for which the law provides “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” That is not the clearest of language and includes a number of complex legalistic terms. Terms such as 'context of activities' and 'establishment' have been previously interpreted broadly by the Court of Justie of the European Union (the EU's top court), in cases such as Weltimmo v. NAIH (C-230/14) and Google Spain SL, Google Inc. v. AEPD, Mario Costeja Gonzalez (C- 131/12), and in the Google case looked at the 'inextricable link' between the activities of Google Inc and Google Spain. The terms are given some further explaination in the GDPR recitals (the introductory paragraphs), including that "Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect". So it is not necessarily as simple for Facebook as changing their Terms of Service to avoid the application of GDPR, as it will very much depend on the detail of data their processing operations in Ireland including, but not limited to, the control Facebook Ireland has over the data, their link with Facebook Inc and what data is actually being processed in the EU (e.g. in Facebook's data centre). The fact that the personal data relates to non EU residents will not be the determining factor.
Even if it is not clear cut that this change will exempt Facebook from applying GDPR to users outside the EU, it sits at odds with Facebook's public statements. In fact it may be interpreted as an attempt to do remove users from GDPR's ambit, and it is certainly muddying the water for the millions of users (not in the US, Canada, or the EU) by removing the clarity provided by having Facebook Ireland explicitly as the data controller.
Facebook should reconsider this move, and other companies should use this opportunity to position themselves as strong defenders of data privacy by raising protections for everyone.
So what should global companies like Facebook do?
Facebook is a company with global reach. If it wants to demonstrate the company's commitment to the privacy of users across the world, here's what we recommend:
- Refrain from changing current terms of services in ways that could lower the data protection standards and safeguards currently afforded to their users.
- Adopt the General Data Protection Regulation (GDPR) as a baseline standard for all users, as well as comply with any national legislation that requires stronger safeguards for users.
- Demonstrate compliance with the data protection standards, including by being clear and transparent on what laws they apply to protect users’ data and how they have implemented them.