Facebook's Zuckerberg: GDPR Won't Apply WorldwideCEO Says Compliance Outside EU Should Be 'In Spirit' of GDPR
Facebook CEO Mark Zuckerberg says the social networking company is already complying with parts of Europe's General Data Protection Regulation, but it won't comply with all of it worldwide.
See Also: Regulation Cheat Sheet
Zuckerberg told Reuters in an exclusive interview that the company has tools in place now, such as the ability to view and delete data, that comply with GDPR.
He says the company's intention is to extend GDPR privacy protections worldwide in spirit, but that some exceptions would be made. Zuckerberg didn't describe those exceptions and in what countries those would be made.
"We're still nailing down details on this, but it should directionally be, in spirit, the whole thing," he told the news agency.
Privacy advocates hope that GDPR will evolve into a defacto global standard, with organizations applying the same principals in geographies where privacy and data laws aren't as strong.
But GDPR is complex. Leading organizations in Europe are prepared, but most have not taken action and aren't fully aware of the law's implications, says Bryce Boland, FireEye's CTO for Asia Pacific. That's in part due to the lack of case law and detailed guidance from regulators in all jurisdictions on how the rules will be enforced.
Many organizations "are waiting to see what happens," Boland says.
Pressure From Regulators
Zuckerberg's comments are likely to rile critics who have called on Facebook to make more drastic revisions to its privacy and data handling practices following the uproar over voter-profiling firm Cambridge Analytica. Facebook is facing regulatory probes from several U.S. states, the U.S. Federal Trade Commission and the U.K. (see Probes Begin as Facebook Slammed by Data Leak Blowback).
Cambridge Analytica, which is part of the U.K. military contractor SCL Group, obtained profile data of up to 60 million Facebook users. A Cambridge University psychologist sold the data, which was collected through an app deployed on Facebook in 2014, to Cambridge Analytica, which violated Facebook's rules (see Facebook and Cambridge Analytica: Data Scandal Intensifies).
That app had access to the data of those who used the app, as well as the information for those users' friends. In light of the scandal, Facebook says it has revised its app guidelines and will not allow the collection of personal data without consent.
Facebook has faced many privacy-related concerns before, and privacy campaigners have long alleged the platform collected far too much intimate data. But Cambridge Analytica's work with President Donald Trump's campaign, along with the election-related manipulation of social networks, has amplified the outcry.
As a result, Facebook has pledged to revise its data handling practices and more clearly communicate to users how their data is used. It also plans over the next six months to stop partnering with companies that link offline purchase records to people's Facebook profiles for highly targeted online advertising.
The program was launched in 2013 and involved companies including Acxiom, Datalogix and Epsilon.
Transparency Is Key
Transparency in how data is collected and used is one of the main tenets of GDPR, which is in effect now and will start being enforced on May 25. Organizations are required to clearly communicate to users how data is used and steer away from overly complex terms and conditions that are difficult to parse.
GDPR is one of the strongest pieces of data privacy legislation in the world, imposing steep fines on companies and organizations that fail to meet transparency requirements. It also requires organizations to notify of data breaches within 72 hours and includes strict penalties for failures to protect data.
The fines can range up to 4 percent of a company's annual global profits or a maximum of $25 million.
GDPR only regulates the data of European residents. But many businesses around the globe handle European's data. Over the past two years, finance, healthcare, manufacturing and technology companies have been preparing for the law's activation.
Last week, Apple said it is revising its privacy policies in preparation for GDPR, including enabling their users download the data the company holds on them, according to Bloomberg. The feature will be deployed by May.
Unlike Facebook and Google, Apple isn't a player in targeted advertising, which has allowed it to direct criticism at those companies' expense. At the China Development Forum on March 24, Apple CEO Tim Cook said well-crafted legislation may be needed to reign in overly permissive data collection, Bloomberg reported.
"The ability of anyone to know what you've been browsing about for years, who your contacts are, who their contacts are, things you like and dislike and every intimate detail of your life - from my own point of view it shouldn't exist," Cook said.