A last-minute change makes it so Facebook doesn’t have to protect the privacy of 1.5 billion users under strict European laws.
As of today, all Facebook users outside the U.S. and Canada are governed by terms of service enforced by the company’s headquarters in Ireland. That means when the strict data rules under the E.U.’s General Data Protection Regulation (GDPR) role around next month, Facebook would have to protect nearly 1.9 billion users, including those in Africa, Asia, Australia, and Latin America.
But not so fast. As reported by Reuters, the social network will change its policies next month so it’s no longer responsible for the 1.5 billion non-European users who were covered under its previous arrangement. This sleight of hand shows the strain the new rules put on Facebook as it tries to overcome its own privacy scandal.
The GDPR, which takes effect on May 25, requires social networks to gain consent from users before they can use their personal data. Companies must also report cybersecurity breaches within 72 hours, provide data it gathers on individuals upon request, and even remove data under “right to be forgotten” provisions. Those who violate the terms owe 20 million euros or 4 percent of their global annual revenue. For a juggernaut like Facebook, that’s billions of dollars.
Facebook denies making the changes to reduce its GDPR coverage, claiming everyone in the world will have the same privacy controls and settings. Zuckerberg previously said the new privacy law would only apply to other users “in spirit.” Soon, all non-European users will be governed by more lenient, uniform policies employed in the U.S. and Canada. The changes are expected to happen sometime next month, just in time for the GDPR cutoff. Other social media giants, like LinkedIn, will make similar changes in the coming weeks.
“We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc. or Facebook Ireland,” the company told Reuters.
This means that while all Facebook users will have access to privacy settings, only a small portion of them can hold the company accountable.