With just over a month to go before the new European Union’s stringent data protection regulation kicks in, Facebook appears to be on a collision course with the bloc as it continues to grapple with the aftermath of the Cambridge Analytica scandal.
In an interview aired Friday with NBC Today, Facebook Chief Operating Officer Sheryl Sandberg refuted claims that the company relied too much on users’ data for its revenues before suggesting that users would have to pay to opt out of their data being used to target them for advertising.
“We have different forms of opt-out, we don’t have an opt-out at the highest level. That would be a paid product,” Sandberg said
The company has since issued a statement saying that Sandberg was only speaking on hypothetical terms and that it does not offer a pay model.
According to Marion Brogli, CEO of DPO Consulting - a consulting firm specialising in data protection and privacy - the point is moot because such a model “is impossible as it would go against the upcoming European regulation.”
From May 25, companies gathering the personal data of EU residents will have to comply with the General Data Protection regulation (GDPR).
Voted in in April 2016, the regulation will allow EU citizens to access and control data held by companies, regardless of where the firm who collects the data is headquartered.
It also forces companies to be more transparent about what data they collect, why and what it is then used for.
The main components of the regulation include the obligation for companies to alert their users of a data breach within 72 hours; the need for them to acquire consent in a clear, concise and comprehensive way and the right to be forgotten, which enables users to have their personal data erased from platforms and by the third parties they shared it with.
Facebook to 'comply with the GDPR'
Facebook has been in the crosshair of users and regulators worldwide since last month, when it emerged that personal information of millions of users had been improperly shared with the UK-based political consultancy Cambridge Analytica by a third party.
The scandal was initially thought to have impacted 50 million users but in a blog post on Wednesday, Facebook’s Chief Technology Officer Mike Schroepfer revised that figure upwards to 87 million - of whom 2.7 million are from the EU.
CEO Mark Zuckerberg, who is due to appear in front of two US congressional hearings about the scandal, has since admitted that his company failed to take a broad enough view of its responsibility.
But it is in the EU that the scandal could prove most painful for Facebook as it highlighted how lax the company's policies still are just two months before the new rules and sanctions come into play.
“So far Facebook hasn’t complied with the regulation despite most of the rules already being enforced in France, Germany, Italy and Belgium,” Brogli told Euronews, adding that the company “has initiated some things but it falls far short of what they need to do.”
In May last year, the social media giant was fined €150,000 by the French watchdog for failing to prevent its users’ data from being used by advertisers.
“That represented 0.0000 something of Facebook’s quarterly revenues,” Brogli emphasised.
But failing to comply with the new EU-wide regulation would result in a fine of up to four percent of global annual revenue which is “a lot more painful.”
In a page dedicated to the GDPR, Facebook said that it complies "with current EU data protection law and will comply with the GDPR."
"Our GDPR preparations are well underway, supported by the largest cross-functional team in Facebook's history," it added.
Sandberg responded Friday to a letter sent late last month by Vera Jourova, the EU's Justice Commissioner with a telephone call between them scheduled next week to discuss the massive data leak.
Zuckerberg was also called on to appear in front of the European Parliament.
“It would be in his best interest to go,” Brogli warned. “If he doesn’t, he can be certain that an investigation will be launched on May 26 and that the sanctions applied will be massive.”
Despite GDPR being a EU-only regulation, its impact are likely to be felt worldwide. With over 500 million consumers in the EU, multinationals including big tech companies and banks will be forced to comply, pull some products out of the market or face huge fines. Many companies are now looking into whether to extend the new data policies internationally.
“It was the EU’s aim,” Brogli explained. “The GDPR is a little bit like an updated version of the Declaration of the Rights of Man and of the Citizen, which inspired the Universal declaration of Human Rights, but for the digital era.”