As Europe awaits the General Data Protection Regulation (GDPR) to come into force on May 25th, Facebook is enforcing new terms of service to its users to ensure compliance with the upcoming data privacy law. It will regulate how Facebook collects and uses user data that is critical to the success of its advertisement business. While Facebook executives are claiming that GDPR will have minimal impact on its user base and its revenues, experts opine that there are multiple other ways that GDPR can affect Facebook in a severe manner. With GDPR being an extraordinary regulation with strong potential to impact large businesses, Facebook stands exposed to a number of uncertainties that are yet to take shape.
Before we dig deeper into the topic, let us do a quick recap of what GDPR actually is and what its implications are with respect to the functioning of businesses. The GDPR stands as an outcome of the European Union’s (EU) initiative to reform Europe’s existing data protection laws to a significant extent. The GDPR is meant to regulate businesses’ policies and actions with regard to the processing of people’s personal data and the use of such data. Any information regarding any identified or identifiable individual is considered as “personal data.” GDPR sets out clear guidelines for companies with regard to how they should store data in their systems in a secure manner, what they should do to accommodate transparency requirements, how they should identify and report data breach incidents, and what steps they should take to deliver appropriate data protection training to their privacy teams and employees.
With the implementation of GDPR, EU residents would have “data subject rights” that would allow them to exercise control over their personal information. They would be entitled to:
- Restrict the use of their personal data
- Get a copy of their personal information
- Rectify or delete their personal data
- Access details on how their personal information is used
While the GDPR has the same implications as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS), it is much broader in terms of scope and the complex detailing that underpins the management and sharing of personal information.
Interestingly, Facebook attracted significant criticism when it announced its GDPR-related changes and how its users would be asked to show their approval for the new policies. People are of the opinion that Facebook adopted “shadowy” patterns while designing the approval-seeking process with an objective of receiving users’ consent to the changes it made without letting them review the amendments properly. People found out that Facebook decreased the size and visual appearance of the buttons, which made review and decision-making difficult for the users. Experts opined that Facebook used shady designs to force people to quickly click the “Agree” button rather than encouraging users to make a choice on the basis of careful judgment. And all these translate into the perception that Facebook cares the least about people’s privacy and views GDPR as a barrier and not something that its users deserve to protect their privacy rights.
Surprisingly, Facebook CFO Dave Wehner believes that GDPR will have no massive impact on Facebook’s online revenue, which demonstrated strong growth during Q1, defying the impact of the Cambridge Analytica scandal. However, data experts in Europe believe that Facebook will soon face lawsuits because of how it is responding to GDPR and because of the fact that the social networking giant’s requests for its users’ personal information are not compliant with the existing laws. A GDPR-breach can cost Facebook 4% of its annual growth revenue. Last year, Facebook’s global revenue stood at $39 billion, which means that 4% will amount to $1.6 billion.
While we will wait to see if Facebook’s attempts to comply with GDPR are successful to prevent scrutiny and consequences, it’s time for other companies to start reviewing their existing privacy and data protection practices. Companies that will fail to ensure GDPR compliance would end up losing their reputation.