Facebook's CEO has just announced the company will adhere to EU privacy laws when they go into effect in late May, but will not extend the same privacy protections to the rest of its global operations.

The General Data Protection Regulation (GDPR) aims to give EU citizens more control over their data, including the right to erasure, by introducing accountability rules for any organization which collects personally identifiable information.

Amidst the fallout from a major security breach (and subsequent apology tour), Facebook made a stunning reversal from its recent promises to protect user privacy.

"We're still nailing down details on this, but it should directionally be, in spirit, the whole thing," CEO Mark Zuckerberg said. He added that many of the tools which are part of the law, such as the ability of users to delete all their data, are already available for people on Facebook.

Lies And Fear

Users already have the ability to delete all their data? There are two situations where this is not true, a) users who are locked out of their accounts and b) the shadow profile of every non-user, constructed from information supplied by their family, friends, and peers. Even if you have a Facebook account, there is no process to delete your shadow profile. Facebook is making false statements to the press.

Zuckerberg's vague statement is very revealing: Facebook is gearing up to run two discrete business units, one which adheres to privacy laws, the other doing so "in spirit". This is a risky bet, both legally and financially. The company will need to identify not only the true identity of each user, but also their citizenship, regardless of their physical location. How far will this division extend? Two sets of colocated server farms running two different versions of software? Two groups of lawyers to interpret two sets of legal standards and implement two legal policies across all services? How far will Mr. Zuckerberg go to continue selling user data to advertisers? How much will it cost the company, and how will it impact their net income?


The announcement is also an inadvertent admission: the GDPR is effective, and it scares them. It includes steep penalties for companies which violate the law (up to 4% of worldwide turnover) and radically restricts how companies like Facebook can collect and store user data. As soon as the GDPR goes into effect, any user wishing to permanently delete their data should present themselves as an EU citizen. If Facebook has no shame in lying to the public, the public should have no apprehension about lying to Facebook.

Published April 04, 2018

We depend on the support of readers like you to fund research initiatives and product development.