Facebook’s two billion users may get the full benefit of the European Union’s stringent data protection regulation as the social media platform promises to implement privacy changes worldwide as it continues to suffer from the fallout of the Cambridge Analytica scandal.
In a blog post published on Wednesday, Facebook announced that it is taking further steps to comply with the EU’s General Data Protection Regulation (GDPR), due to come into effect on May 25.
“We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook,” the blog post reads.
However, Reuters has reported that Facebook is changing its terms and conditions for users outside Europe, which would allow them to impose different rules in the Americas, Africa and Asia if they wished.
What's to come
Starting this week, Facebook users in Europe will be able to review their privacy settings and give their consent on whether they want to share profile information including their political, religious and relationship information as well as whether they want Facebook to use their data to target ads.
Facebook also announced the return of its facial recognition features in Europe which they say “help protect your privacy and improve your experiences, like detecting when others might be attempting to use your image as their profile picture.” The features also enable the social platform to suggest friends users might want to tag in photos or videos.
Facebook’s use of facial recognition technology had been struck down in 2012 in Europe and Canada as regulators ruled the photo-tagging system violates privacy law, but users will now be able to opt-in.
Finally, the tech giant will roll out protections for teens as, under GDPR, young people between the ages of 13 and 15 in some countries will need parental permission to use some features on Facebook. As a result, the company says, they will see “a less personalized version of Facebook with restricted sharing and less relevant ads.”
A global roll-out
Voted in in April 2016, GDPR will allow EU citizens to access and control data held by companies, regardless of where the firm who collects the data is headquartered.
It also forces companies to be more transparent about what data they collect, why and what it is then used for.
The main components of the regulation include the obligation for companies to alert their users of a data breach within 72 hours; the need for them to acquire consent in a clear, concise and comprehensive way and the right to be forgotten, which enables users to have their personal data erased from platforms and by the third parties they shared it with.
Failing to comply with the new EU-wide regulation would result in a fine of up to four percent of global annual revenue, much more than previously doable.
Despite being a EU-only regulation, its impact is likely to be felt worldwide. With over 500 million consumers in the EU, multinationals including big tech companies and banks will be forced to comply, pull some products out of the market or face huge fines. Many companies are now looking into whether to extend the new data policies internationally.
Facebook — which has been heavily criticised by regulators and users worldwide since March when it emerged that the personal information of 87 millions of users had been improperly shared with the UK-based political consultancy Cambridge Analytica by a third party — has now decided to roll out the regulation worldwide.
“People in the EU will start seeing these requests this week to ensure they have made their choices ahead of GDPR coming into effect on May 25,” the blog post says.
“As part of our phased approach, people in the rest of the world will be asked to make their choices on a slightly later schedule, and we’ll present the information in the ways that make the most sense for other regions,” it adds.
Some commentators and users, however, have found Facebook's latest changes lacking. In its review of the changes, technology news outlet Tech Crunch described the parental consent for teens as "laughably cheatable" and says the overall design "encourages rapidly hitting the “Agree” button" despite not reading through all the information.
How much is personal data's worth?
The Cambridge Analytica scandal put into the spotlight the big business of harvesting data. But how much does it go for? A 2015 study by the Kenan-Flagler Business School found that nine data brokers in the US generated approximately $426 million (€343 million) in revenues in 2012 by selling customer data via marketing, risk mitigation and people search products.
The study also reveals how some companies pay customers to access certain kind of data. Datacoup for instance, would pay $8 (€6.50) per month to access customers’ social media accounts and view a feed of transactions from credit and debit cards, while Luth Research would pay $100 (€80) per month to its opt-in users to track smartphone, tablet or PC activity.
Some individuals have taken matters in their own hands. Dutch student Shawn Buckles auctioned off all his personal data online to the highest bidder in March 2014. The data — which included his personal calendar, email conversations, consumer preferences, browsing history and music preferences among others — sold for €350.
A year earlier, Federico Zannier sold his data on Kickstarter through several bundles ranging from $2 a day to $200 for his entire data archive. He included data on websites he visited, a recording of his mouse pointer movements, GPS locations and more. He netted $2,733 (€2,205) in a month.
Meanwhile, according to the US venture capitalist firm Loup Ventures, every Facebook US user generated about $29.60 (€23.9) in profit for the company in 2017. The venture capital firm got to that figure by looking at how much Facebook had generated in ad revenue in the US in 2017 ($19.5 billion, €15.7 billion), dividing it by the number of monthly active US user (237 million users) and deducting tax.