GDPR comes into force EU-wide next month, just as Facebook is embroiled in a data privacy controversy. What does the new legislation mean for the social network?

In little under a month, new data legislation will come into effect EU-wide. After a two-year transition period, GDPR (General Data Protection Regulation) kicks in, requiring all companies operating in the European Union to adopt tougher new data protection measures. The implementation of GDPR comes at a time when Facebook is increasingly under fire for data breaches – a scandal which has seen CEO Mark Zuckerberg called to Washington to testify to Congress and repeated requests made to appear in the UK Parliament to testify before MPs.

So what does GDPR mean for Facebook?

Although Facebook is a US company, it must adhere to GDPR because it operates within the EU and or has users or customers within those territories. It will be held to the same standards as a company headquartered in London or Milan. This is also true of other social media sites such as Instagram and SnapChat and search engines like Google and Bing.

In essence, Facebook will have to ensure that it meets legal requirements laid out by GDPR for EU users. These include:

  • Obtaining consent to use personal user data
  • Continue to raise the issue of consent and check users are still happy to be contacted and for their data to be used
  • Provide a clear right to be forgotten for users

The problem for Facebook

Data and privacy have become a very thorny issue for Facebook over the last couple of months. It has been accused of allowing millions of user’s data to be compromised. Cambridge Analytica, a firm linked to Donald Trump’s US presidential campaign used Facebook profile data, obtained from millions of users, to create profiles of voters to target political ads. The data from over 50 million Facebook user was illegally used, with Zuckerberg admitting that his own data was amongst that harvested.

In the midst of a global furore and with its data protection policies already under intense scrutiny, Facebook will also have to ensure that changes made in the wake of the scandal also comply with GDPR. This is an additional headache for the firm as the EU laws differ from those in the US.

What will Facebook need to do to comply?

Speaking during the Congressional hearing, Zuckerberg said that the GDPR “In general” was a positive step but fell short of saying that Facebook is already complying with GDPR requirements.

Along with millions of other companies in the EU, Facebook will be expected to have made significant changes to its collection and use of personal date come 25 May, 2018. Among those changes it will need to:

  • Update privacy policies
  • Notify users of data breaches within 72 hours (it took months in the case of Cambridge Analytica)
  • Provide a right to be forgotten
  • Make it easier for users to access the data held about them

While not necessarily a reaction to GDPR, Facebook has started to introduce a series of changes. On 28 March, Facebook published a post to its newsroom which said, “We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed. We’re taking steps in the coming weeks to put people more in control of their privacy.”

On 04 April, Erin Egan, VP and Chief Privacy Officer, Policy and Ashlie Beringer, VP and Deputy General Counsel followed this up with a second post in the Facebook newsroom saying,

“It’s important to show people in black and white how our products work – it’s one of the ways people can make informed decisions about their privacy. So we’re proposing updates to our terms of service that include our commitments to everyone using Facebook. We explain the services we offer in language that’s easier to read. We’re also updating our data policy to better spell out what data we collect and how we use it in Facebook, Instagram, Messenger and other products.”

The changes include new features and tools, a promise to make it clearer how user data is used and more transparency about how it deals with harmful behaviour.

After that, on 10 April it announced that it had launched a ‘data abuse bounty’ which rewarded whistleblowers reporting misuse of Facebook user data via app developers.

It’s likely that other changes will also be announced in the coming weeks as GDPR gets ever closer.