Facebook Moves 1.5 Billion Users’ Data Out Of Europe To Circumvent New Privacy Law

This doesn’t bode well for Facebook CEO Mark Zuckerberg and what remains of his tattered credibility.

After Zuck suggested (but stopping short of promising) during testimony before Congress last week that he would treat all Facebook users’ data as if it fell under the European Union’s new General Data Protection Regulation, Reuters and the Guardian are reporting that Facebook has quietly moved the data of more than 1.5 billion users out of reach of European privacy law by transferring it from the company’s European headquarters in Ireland to its global headquarters in California.

Here’s the Guardian:

In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law.

The move is due to come into effect shortly before General Data Protection Regulation (GDPR) comes into force in Europe on 25 May. Facebook is liable under GDPR for fines of up to 4% of its global turnover – around $1.6bn – if it breaks the new data protection rules.

The shift highlights the cautious phrasing Facebook has applied to its promises around GDPR. When asked whether his company would promise GDPR protections to its users worldwide, Zuckerberg demurred. “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he said.

A week later, during his hearings in front of the US Congress, Zuckerberg was again asked if he would promise that GDPR’s protections would apply to all Facebook users. His answer was affirmative – but only referred to GDPR “controls”, rather than “protections”. Worldwide, Facebook has  to let users exercise their rights under GDPR, such as downloading and deleting data, and the company’s  are similarly universal.

As Reuters explains, by moving the data, Facebook is creating an important buffer against legal penalties.

That removes a huge potential liability for Facebook, as the new EU law allows for fines of up to 4 percent of global annual revenue for infractions, which in Facebook’s case could mean billions of dollars.

The change comes as Facebook is under scrutiny from regulators and lawmakers around the world since disclosing last month that the personal information of millions of users wrongly ended up in the hands of political consultancy Cambridge Analytica, setting off wider concerns about how it handles user data.

The change affects more than 70 percent of Facebook’s 2 billion-plus members. As of December, Facebook had 239 million users in the United States and Canada, 370 million in Europe and 1.52 billion users elsewhere.

In separate statements to Reuters and the Guardian, Facebook essentially denied that the change would have any impact on how user data are treated, and that Facebook users would have “the same privacy protections everywhere.”

Facebook told Reuters “we apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland.” It said the change was only carried out “because EU law requires specific language” in mandated privacy notices, which US law does not.

In a statement to the Guardian, it added: “We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”

However, a data privacy researcher who spoke with the Guardian said Facebook’s statements are disingenuous (surprise, surprise).

Privacy researcher Lukasz Olejnik disagreed, noting that the change carried large ramifications for the affected users. “Moving around one and a half billion users into other jurisdictions is not a simple copy-and-paste exercise,” he said.

“This is a major and unprecedented change in the data privacy landscape. The change will amount to the reduction of privacy guarantees and the rights of users, with a number of ramifications, notably for for consent requirements. Users will clearly lose some existing rights, as US standards are lower than those in Europe.”

“Data protection authorities from the countries of the affected users, such as New Zealand and Australia, may want to reassess this situation and analyse the situation. Even if their data privacy regulators are less rapid than those in Europe, this event is giving them a chance to act. Although it is unclear how active they will choose to be, the global privacy regulation landscape is changing, with countries in the world refining their approach. Europe is clearly on the forefront of this competition, but we should expect other countries to eventually catch up.”

In an interesting twist, Facebook disclosed that moving the data would not come with tax ramifications. This bifurcation means that Facebook will continue paying taxes on that business in Ireland, but the data will be based in the US, where it will be exempt from European privacy laws.

To be sure, if certain Democratic lawmakers have their druthers and pass a privacy law modeled after the GDPR, Facebook might need to find another domicile for its data. And assuming the outrage over the company’s treatment of user data has a lasting impact, the company might need to repeat this process again and again, until there’s nowhere left to hide.

In other Facebook news, an auditor reviewing the company’s privacy practices gave the company “a clean bill of health” in a report to federal authorities last year – well after Facebook had discovered Cambridge Analytica’s alleged deception. The audit was required as part of a settlement Facebook reached with the FTC in 2011, per the Wall Street Journal.

An auditor reviewing Facebook Inc.’s FB -0.67% privacy practices gave the social-media company a clean bill of health in a report to federal authorities last year—well after Facebook discovered that political consulting firm Cambridge Analytica improperly obtained millions of users’ personal data.

“In our opinion, Facebook’s privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information,” the auditing firm, PricewaterhouseCoopers, said in the report to the Federal Trade Commission dated April 12, 2017. A heavily redacted version of the report is posted on the FTC’s website.

The audit, which covers a two-year period ended in February 2017, was required as part of a settlement that Facebook reached with the FTC in 2011 to ensure the company was clearly informing users about the way their data was being used. But PwC’s conclusions raise questions about the vigor of its vetting process at a time of mounting questions about Facebook’s ability to protect user privacy.

Back in 2011, the FTC accused Facebook of deceiving consumers by telling them they could keep their data private, but then repeatedly allowing the data to be shared and made public (sound familiar?). An agreement reached by the two sides required Facebook to give consumers “clear and prominent notice” and “obtain their express consent” before sharing their information in any way that wasn’t explicitly laid out in their privacy settings.

The question of whether the company has violated its FTC settlement is now the subject of an intense debate. At stake are millions of dollars in fines.