Facebook doubles down on GDPR despite the risks

On April 17, 2018, Facebook’s Chief Privacy Officer – Erin Egan, proclaimed:  “[t]oday we’re introducing new privacy experiences for everyone on Facebook as part of the EU’s General Data Protection Regulation (GDPR), including updates to our terms and data policy.”  According to Ms. Egan, “people in the EU will see specific details relevant only to people who live there” yet “there is nothing different about the controls and protections we offer around the world.”  In her blog post, Ms. Egan also reaffirmed something said numerous times by Mark Zuckerberg during recent Congressional Hearings, namely “we continue to commit that we do not sell information about you to advertisers or other partners.”  Tellingly, the phrase “information about you” was never elaborated upon by Ms. Egan.

As is often the case, the devil is in the details.  First, the fact “controls and protections” found on a Facebook account may be similar around the globe – as was the case before Ms. Egan’s blog post, does not mean the privacy laws protecting Facebook users have remained the same.  Quite the contrary is true given that the choice of law provision applicable to Facebook’s users was just amended from Facebook’s low-tax home domicile of Ireland to the non-GDPR land of California  – expressly now leaving about 1.5 billion users potentially outside the purview of  the GDPR.  When asked by Ars Technica why the choice of law provision was changed, Facebook purportedly said “the change had been made in the name of the companies’ business interests. The company declined to elaborate further.”

Second, neither Facebook’s new Terms of Service nor its new Data Policy – both last revised on April 19, 2018, define the word “you” or “your”.  As well, the revised Data Policy expressly gives Facebook broad latitude in its use of undefined user “information”:

We use the information we have (including your activity off our Products, such as the websites you visit and ads you see) to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and understand the types of people who use their services and how people interact with their websites, apps, and services.

Indeed, apparently armed with this undefined user “information”, Facebook recently launched a program that analyzes user data sufficiently to purportedly predict behavior for advertisers.

If the undefined “you” in Facebook’s agreements differs from the composite “you” created by Facebook that is pseudonymized, repurposed and then sold to advertisers, one could never tell from any of Facebook’s agreements.  Interestingly, Recital 78 and Article 25 of the GDPR expressly consider “pseudonymising personal data” a best practice for companies developing Privacy by Design compliance initiatives.  Under the GDPR, pseudonymized data can even be processed for purposes different from which the data was originally collected.  The only problem with the GDPR’s exalting of pseudonymizing is that companies now oftentimes discover the sovereign identity “you” when provided information concerning the composite “you” that is pseudonymized by Facebook.

It would have been comforting if Facebook’s auditors were on top of this longtime “nudge wink” between Facebook and the advertising industry.  Unfortunately, they are not.  In an April 18, 2018 paper titled, “Understanding and Improving Privacy “Audits” under FTC Orders”, author Megan Gray points out that Facebook’s FTC audit assessments are circular – “Management asserts it has a reasonable privacy program. Based on management’s assertion, we certify that the company has a reasonable privacy program.”

In effect, this audit process ultimately renders Facebook’s assessments “almost indecipherable” and “requiring certified-auditor knowledge.”  As correctly summed up by Gizmodo, “[t]he current process essentially allows companies under consent orders to self-regulate.”  Accordingly, it is no surprise that PwC’s auditing cleared Facebook’s privacy practices “in an assessment completed last year of the period in which data analytics consultancy Cambridge Analytica gained access to the personal data of millions of Facebook users”.

Notwithstanding its aptitude for parsing words, Facebook will soon be in uncharted and unpredictable privacy waters where disclaimers and popup consent forms may not easily tread.  Even though no one can say with certainty how things will play out after the GDPR’s formal launch on May 25, 2018, one thing is sure – Facebook has very publicly committed to GDPR compliance.  And, to the extent there are failings in such compliance, there are more than a handful of class counsel and global governmental agencies ready to pounce on Facebook and its partners.