top | item 16629824

(no title)

This is technically true, but there are a lot of really weird implementation details. Since GDPR only applies to EU citizens, and those citizens could physically be anywhere in the world, how Facebook implements this will be super interesting.

Think about how a shadow profile gets created, for example - they notice that a group of three people keep getting tagged in photos, but there's a fourth person in the pictures who doesn't have a Facebook profile. The three people keep logging in from the same physical place (say, in the U.S.), and that same place is where the pictures are geolocated. You can assume this fourth person was in the U.S. So, Facebook starts a shadow profile on him - pictures he could have been tagged in, locations he probably was in, interests he probably has based on the intersection of his friends' interests.

But this guy is actually an EU citizen who showed up in the U.S. for a vacation. Uh oh. When would Facebook have found that out? When would they have asked this guy to opt-in? Can they assume everyone in the U.S. is not an EU citizen until told otherwise?

discuss

TheCoelacanth|8 years ago

GDPR applies to people located in the EU. Citizenship does not matter.

TheLoneTechNerd|8 years ago

I wrote this in another comment, but this is only partially true. The GDPR protections can potentially extend to non-EU citizens who travel to the EU, but the letter of the law seems to state that that's only true if data is actually collected while the person is in the EU. In other words, Facebook and others could potentially say "if this data is geotagged in the EU, don't record it. Wait until they're back in the US." Then, since no data collection happened in the EU, they wouldn't have the right to get it deleted.

Edit: rereading https://gdpr-info.eu/art-3-gdpr/, it specifically mentions the "processing of data", not just storing. In other words, Facebook could potentially stop an American from logging in when in Europe. Would they? Likely not, it would hurt their business. But what if I (an American) sign on via a British VPN?

It also doesn't answer what would happen to the data of EU citizens who are never geotagged in the EU (due to living outside of it), but also have shadow profiles created without their consent anyway. The first GDPR lawsuit will be fascinating.