At 1:00 AM Eastern Standard Time on Wednesday, Facebook published an announcement outlining some of the ways it plans to advance toward the General Data Privacy Regulation (GDPR), which comes into force next month.
Last week, during Congressional hearings with the company’s CEO, Mark Zuckerberg, lawmakers asked about Facebook’s compliance with the GDPR and whether or not the same rules and regulations would be offered to users in the U.S.>” src=”https://no-cache.hubspot.com/cta/default/53/09e975a0-06f8-49f4-aa20-1a3cdf056bde.png”>
Zuckerberg gave mixed answers over the course of the hearings (as well as the weeks leading up to it), with Representative Jan Schakowsky of Illinois finally stating that a U.S. version would be far from “an exact replica” of European regulations.
This morning’s announcement — penned by Chief Privacy Officer Erin Egan and Deputy General Counsel Ashlie Beringer — could be said to reinforce Representative Schakowsky’s assessment, as it doesn’t outline the GDPR’s requirements and rather explains new privacy options that will be rolled out to everyone.
Within the statement, Egan and Beringer write that, “while the substance of our data policy is the same globally, people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR,” but don’t go much further in terms of explaining the protections that are offered to users in the EU, versus elsewhere.
And while Facebook did recently rewrite its terms of service and data policy to make them clearer, according to this announcement, not much has changed for U.S.-based users since.
In this morning’s statement, Egan and Beringer write that “there is nothing different about the controls and protections we offer around the world.” However, the text later points to contrasting rules for teen users in the EU versus those in places where the GDPR doesn’t apply.
For the former, “teens will see a less personalized version of Facebook with restricted sharing and less relevant ads until they get permission from a parent or guardian to use all aspects of Facebook.”
But elsewhere — “even where the law doesn’t require this,” the statement says — “we’ll ask every teen if they want to see ads based on data from partners and whether they want to include personal information in their profiles.”
In other words, in certain parts of the EU (where the GDPR will come into force), users aged 13-15 will need express consent from a parent or guardian to allow the display of ads “based on data from partners” — which can include things like religious beliefs, political views, or other items that the person’s profile has deemed him or her “interested in.”
It’s the type of data that another announcement made yesterday by Facebook explains — the kind that the social network might collect and maintain based on someone’s browsing activity off of the site, which according to Zuckerberg’s remarks last week is synthesized to determine what types of ads might be the most relevant.
But the statement suggests that this parental consent requirement in the EU doesn’t apply in the U.S. — again, with the remarks indicating that where the law doesn’t require it, teens themselves will only be asked if they want to see such ads, without requiring adult permission.
There are similar discrepancies in the way it describes rules and options around facial recognition. While Egan and Beringer write that “people in the EU and Canada [will have] the choice to turn on face recognition,” for users elsewhere, they only note that “using face recognition is entirely optional for anyone on Facebook.”
That suggests Facebook users in the EU and Canada could be proactively asked to opt into face recognition in order to use, whereas users elsewhere will have to go into their settings to change this preference (which can be done so here).
Otherwise, this morning’s announcement mostly reaffirms what Facebook has said in recent weeks it will change. In addition to revised tools to help users more easily download, delete, or export their personal data — which “are available globally, although [Facebook] designed them to comply with GDPR” — users will be asked to review and choose if they want this data to be used to influence the ads they see, and if they want information they’ve chosen to share on their profiles about religion or politics to be shared with advertisers.
As for timing, Egan and Beringer write that EU-based users will begin seeing these changes and requests to review options in the weeks leading up to the GDPR coming into force on May 25.
Users elsewhere will see their versions “on a slightly later schedule,” the statement says, “in the ways that make the most sense for other regions.”
To reiterate, it doesn’t appear that this announcement explains anything terribly new, or in much greater detail than Facebook has provided in the past. In fact, shortly after it was made, TechCrunch published “a flaw-by-flay guide” to the changes outlined in this statement.
Whether or not Facebook provides any further clarity on the new options available to EU users versus elsewhere — or if equally strict regulations are introduced to users in the U.S. and worldwide — remains to be seen.
But given Zuckerberg’s historically ambiguous responses to questions about the latter, it could be quite some time before –if ever — further light is shed on these topics.