Best endorsement of GDPR they could possibly make. Everyone knows Facebook collects more data than most people probably want so it follows that a privacy law they don't want to roll out everywhere must help curtail that to some degree.
Yeah, and to a degree that theyre willing to eat the cost of maintaining a much more complicated privacy structure (and, inherently, code base) to not roll it out everywhere.
Playing devil's advocate: it could also be that their implementation of the GDPR necessarily restricts functionality from the user's point of view. And they simply want their users to have the best (in their view) possible experience.
At some stage Americans need to expand their definition of what "freedom" is. Right now maintaining freedom from government is almost a national passtime (and arguably quite effect), but in the meantime infringement from private organizations has expanded and I'd argue is now the predominant issue facing your average citizen.
You have HOAs acting as government, tech companies acting as intelligence organizations, private security acting as police, and heck even private companies buying up roads/bridges maintaining them and charging a fee.
The whole "make a different choice" retort whenever private organizations do something evil is getting less and less believable with every passing day. For example, in a lot of cities almost every neighborhood has a HOA.
While there certainly is room to improve privacy legislation, it must be done carefully. More legislation is not always better. For example, I'm strongly against forcing search engines to remove entries based on a single person's 'right to forget.'
I had posted it on the other link as well where Panera Bread's leaks were discussed (1 and 2), but since it is relevant to this discussion, reposting it here. I have edited my conclusion a bit from the original two postings:
Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (3) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (4).
I believe UnderArmor's case is the norm we can expect going forward. As most companies are not "tech" in nature, unlike FB which happens to be one, it will make sense for them to keep just one security policy and the legally mandated strictest one may be the dominant policy across the enterprise.
It's worth noting that Article 33(1)[1] states that a breach must be reported to the local supervisory authority unless said breach is 'unlikely to result in a risk to the rights and freedoms of natural persons'. This call is made by the organisation which suffered from the breach, by the way (certainly in the absence of any case law).
It will be interesting to see the interpretation of that clause in action, specifically when looking at information such as IP address which is still considered a grey area.
Definitely, as do most of us. But that IMO is mostly attributable to the network effect and not to anything particularly special about Facebook as an application. An incumbent social network with mostly identical software, minus the spying plus an ethical monetization strategy, would be out-competed financially by Facebook unless user tracking is regulated more closely.
I now live in a country where Facebook is a major part of how people function online. I deleted my profile and stayed off for 2 years when I still lived in the US, but here it's more vital to have one unfortunately.
FYI, I recently deactivated my Facebook account and found I could still use messenger. That seemed like a great compromise to me. I still have had to reactivate it a couple times for some third party login, but I deactivated again right after that.
How does Facebook distinguish between US and European users? Does it do it based in IP address? On GPS data it slurps up from mobile applications? On the manually selected city the user specifies that they live in? Facebook also operates a TOR service, how can it comply whilst not knowing where the user is signing in from? Does a European user who uses an American VPN become classified as an American user and vice versa? There is probably a business opportunity here somewhere to provide European data privacy as a service. It all seems pretty complicated.
How can this be legal? I travel to Europe frequently for work. I use (well technically used) Facebook to stay in touch with people back home. But shouldn't my data be covered under GDPR if I've saved data from within the European Economic Area?
This is less attractive when you realize that all big companies will have a non-European subsidiary pay a non-European component of facebook for all their advertising needs, which would hugely lower the revenue base that 4% is calculated from.
I can't help but feel that the decisions behind `excluding these features globally` or `targeting these features specifically` are made for less than savory reasons.
I would understand if these features are available, though default to their 'current'/'non GDPR compliant' setting - but this does not seem to be the case.
Without an explanation how and why these decisions are being made, which is not 'legally' required; I think more and more users should question Facebook, and their motives.
“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” Reuters quotes Zuckerberg on the GDPR question.
I'd prefer "no comment atm" rather than this string of vague words, but then TC wouldn't have an article.
We're spending a lot of money finalizing our GPDR implementation right now. I wouldn't know how to not extend it globally. That would be significant additional work at this point.
This was my reaction: they're either even better programmers than I thought if they don't see bifurcating their approach to users based on temporal geographic locations or they're dumber than rocks.
I can't imagine it would be too hard for Facebook to extend the work they've done for GDPR to all other countries and am surprised they are choosing not to as it only puts them in a worse position with the American public and any other non-EU country that is privacy conscious.
Does anyone know how one can mark him/herself as a "European Citizen" on Facebook so that this GDPR protection applies? Not for me personally, asking for a friend.
As someone implementing GDPR right now on a news website, its going to come down to this...
We detect that traffic is coming from the EU so we treat you differently and ask for consent etc. If you are Non-EU its business as usual.
There are weird edge cases: If you are in the EU and use a VPN to appear to be in Virginia then we will not know you are really in the EU and you will get the non-GDPR treatment. Again, technically we can only do so much.
No surprise there. But it may serve as yet another reminder that privacy protection can only result from laws and not from the mercy of Facebook and its ilk.
... and suddenly legislation/coercion doesn't seem so bad if you value privacy as a path society should veer towards. It doesn't seem the market's doing its magic in our favor in this area.
I'm so glad I closed my FB account a while back. It has restored my sanity and I also don't have to worry about megalomaniacs such as Zuckerberg sifting through my data and selling it.
I think we should start a campaign and lobby our own government to pass a law similar to GDPR.
> I also don't have to worry about megalomaniacs such as Zuckerberg sifting through my data and selling it.
No, they track everyone across the web via their embedded pixels and create "shadow profiles." I have never joined Facebook, but they still know me. I block their tracking by blocking their various websites. I'm not sure that's enough as I understand they still buy data. In their defense, I don't think they sell my data, except perhaps to the NSA.
You may have closed your account with Facebook. They haven't closed their account with you. They maintain information on people who don't have accounts
> Zuckerberg said many of the tools that are part of the law, such as the ability of users to delete all their data, are already available for people on Facebook.
Uhm, do those tools actually delete the data though? Are they not required to under GDPR?
Disingenuous as always.
Gdpr requires a maximum grace period of 30 days to comply with the erase request.
Facebook holds your stuff for 90 days. Just as an example.
Data management is just a part of the law, by the way. Facebook is currently not complying with all the obligations about privacy by design and defaulting to opt-out.
“The vast majority of what is required here are things that we’ve already had for years across the world for everyone.”
My understanding is that GDPR would require a deep delete of user data from Facebook's systems. Anyone have info on how that would work with shadow profiles that Facebook creates on your behalf and without your consent? Seems like this would fall under the domain of GDPR. (Which also makes me think of just how misleading that quote is from Zuckerberg)
Yes. I've talked with some in the social media industry about addressing GDPR. What it means is a massive shift in the way data is handled.
What's the difference? Well, it's helpful to have some context on how data is used in a place like FB. Data originates (for the most part) with the user. It get's dropped in one of the many operational data sources that back the service. From there, it's mostly waiting to be used by someone for some reason, which might be a ML project or something else. So, then you will want to move the data. You'll make some sort of pipeline from the source to where you want to work, such as ETL the data you want out or set up some sort of messaging system to handle things in an online way.
Maybe now that you have the data, you'll share it with other people working on the project. The data might be distributed (best case) through an environment meant to work with the data (e.g., Spark/HDFS/Hadoop) or might just be sent piecemeal as CSVs. Once the project is done, the data might just be left in place. Who knows where those CSV's go?
One of the big requirements of GDPR is deleting an individual's data EVERYWHERE. And while the above is a sort of simplified view of user of data in a logical manner, I can assure you someone out there somewhere is doing something that doesn't make sense. In light of that, getting rid of a person's data everywhere is a HUGE architectural/infrastructural/process problem for a platform like FB.
That is because it is misleading. Under the GDPR, they would have to hard delete those shadow profiles. For everyone else, they would not delete that data.
GDPR requires protection for all EU citizens regardless of location of the user or the data. This means that the millions of EU citizens living in the US have to be afforded the same protection, or FB faces very punitive fines.
It will be interesting to see how this plays out. Will FB require users to stipulate that they do not have an EU passport? What happens if we all say we have one? How would they verify that?
> GDPR requires protection for all EU citizens regardless of location of the user or the data.
I haven't yet read the whole of GDPR, so maybe there is something further in that changes this, but based on Article 3 that does not to be the case. Here's an earlier comment of mine that quotes Article 3 and discusses this [1]. Here's a link to a nicely formatted online copy of GDPR [2].
It appears to require protection when either (1) the entity processing the data is in the EU or (2) the person whose data is being processed is in the EU.
Even if they did I doubt Facebook has enough of a handle on their data to avoid the fines for GDPR. They're infrastructure must be massive, and they have a big target on them. I can't say I feel bad for them.
[+] [-] ejlangev|8 years ago|reply
[+] [-] dclowd9901|8 years ago|reply
[+] [-] amelius|8 years ago|reply
[+] [-] dominotw|8 years ago|reply
[+] [-] Someone1234|8 years ago|reply
You have HOAs acting as government, tech companies acting as intelligence organizations, private security acting as police, and heck even private companies buying up roads/bridges maintaining them and charging a fee.
The whole "make a different choice" retort whenever private organizations do something evil is getting less and less believable with every passing day. For example, in a lot of cities almost every neighborhood has a HOA.
[+] [-] insickness|8 years ago|reply
[+] [-] somberi|8 years ago|reply
Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (3) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (4).
I believe UnderArmor's case is the norm we can expect going forward. As most companies are not "tech" in nature, unlike FB which happens to be one, it will make sense for them to keep just one security policy and the legally mandated strictest one may be the dominant policy across the enterprise.
(1)https://news.ycombinator.com/item?id=16739753
(2) https://news.ycombinator.com/item?id=16741391
(3)https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
(4)http://www.bbc.com/news/technology-43592470
[+] [-] trampypizza|8 years ago|reply
It will be interesting to see the interpretation of that clause in action, specifically when looking at information such as IP address which is still considered a grey area.
[1] https://gdpr-info.eu/art-33-gdpr/
[+] [-] acjohnson55|8 years ago|reply
[+] [-] 3131s|8 years ago|reply
I now live in a country where Facebook is a major part of how people function online. I deleted my profile and stayed off for 2 years when I still lived in the US, but here it's more vital to have one unfortunately.
[+] [-] exolymph|8 years ago|reply
[+] [-] go_prodev|8 years ago|reply
After 10 days clean, buy yourself a beer.
[+] [-] eric-hu|8 years ago|reply
[+] [-] ionised|8 years ago|reply
[+] [-] shiado|8 years ago|reply
[+] [-] jdavis703|8 years ago|reply
[+] [-] pwtweet|8 years ago|reply
[+] [-] yeswecatan|8 years ago|reply
[+] [-] hedora|8 years ago|reply
This is doubly attractive if they can have a European subsidiary that only pays the fine on European revenue.
(I’d rather see the penalties be strengthened, to be clear.)
[+] [-] Someone|8 years ago|reply
That won’t work. It’s 4% max, per infringement.
[+] [-] olympus|8 years ago|reply
[+] [-] foolfoolz|8 years ago|reply
i think many small businesses are going to have to shut down EU operations because of GDPR
[+] [-] gU9x3u8XmQNG|8 years ago|reply
I would understand if these features are available, though default to their 'current'/'non GDPR compliant' setting - but this does not seem to be the case.
Without an explanation how and why these decisions are being made, which is not 'legally' required; I think more and more users should question Facebook, and their motives.
[+] [-] personlurking|8 years ago|reply
I'd prefer "no comment atm" rather than this string of vague words, but then TC wouldn't have an article.
[+] [-] rock_hard|8 years ago|reply
Unfortunately its hard to find any news outlet these days who refrains from such shady tactics :(
I hence started blacklisting news sites that I notice spreading FUD...even if that means I end up with no news.
On social media it’s actually less of a problem because I am able to engage with the person who shared it
[+] [-] nsxwolf|8 years ago|reply
[+] [-] tclancy|8 years ago|reply
[conclusion left as an exercise for the reader]
[+] [-] robbiet480|8 years ago|reply
[+] [-] grigjd3|8 years ago|reply
[+] [-] volgo|8 years ago|reply
[+] [-] Swizec|8 years ago|reply
Does GDPR apply? Can I go around making annoying requests to apps and services I use?
[+] [-] RafiqM|8 years ago|reply
If I were FB I would want to cover my ass on that one and accept any signal at all that the user is within the EU. Just conjecture though.
[+] [-] donohoe|8 years ago|reply
We detect that traffic is coming from the EU so we treat you differently and ask for consent etc. If you are Non-EU its business as usual.
There are weird edge cases: If you are in the EU and use a VPN to appear to be in Virginia then we will not know you are really in the EU and you will get the non-GDPR treatment. Again, technically we can only do so much.
[+] [-] tempodox|8 years ago|reply
[+] [-] mancerayder|8 years ago|reply
[+] [-] Jerry2|8 years ago|reply
I think we should start a campaign and lobby our own government to pass a law similar to GDPR.
[+] [-] 411mrc|8 years ago|reply
No, they track everyone across the web via their embedded pixels and create "shadow profiles." I have never joined Facebook, but they still know me. I block their tracking by blocking their various websites. I'm not sure that's enough as I understand they still buy data. In their defense, I don't think they sell my data, except perhaps to the NSA.
[+] [-] isostatic|8 years ago|reply
[+] [-] mehrdadn|8 years ago|reply
Uhm, do those tools actually delete the data though? Are they not required to under GDPR?
[+] [-] camillomiller|8 years ago|reply
[+] [-] mercer|8 years ago|reply
[+] [-] opmelogy|8 years ago|reply
My understanding is that GDPR would require a deep delete of user data from Facebook's systems. Anyone have info on how that would work with shadow profiles that Facebook creates on your behalf and without your consent? Seems like this would fall under the domain of GDPR. (Which also makes me think of just how misleading that quote is from Zuckerberg)
[+] [-] theabacus|8 years ago|reply
What's the difference? Well, it's helpful to have some context on how data is used in a place like FB. Data originates (for the most part) with the user. It get's dropped in one of the many operational data sources that back the service. From there, it's mostly waiting to be used by someone for some reason, which might be a ML project or something else. So, then you will want to move the data. You'll make some sort of pipeline from the source to where you want to work, such as ETL the data you want out or set up some sort of messaging system to handle things in an online way.
Maybe now that you have the data, you'll share it with other people working on the project. The data might be distributed (best case) through an environment meant to work with the data (e.g., Spark/HDFS/Hadoop) or might just be sent piecemeal as CSVs. Once the project is done, the data might just be left in place. Who knows where those CSV's go?
One of the big requirements of GDPR is deleting an individual's data EVERYWHERE. And while the above is a sort of simplified view of user of data in a logical manner, I can assure you someone out there somewhere is doing something that doesn't make sense. In light of that, getting rid of a person's data everywhere is a HUGE architectural/infrastructural/process problem for a platform like FB.
[+] [-] AFNobody|8 years ago|reply
[+] [-] alex_young|8 years ago|reply
It will be interesting to see how this plays out. Will FB require users to stipulate that they do not have an EU passport? What happens if we all say we have one? How would they verify that?
[+] [-] shadowtree|8 years ago|reply
A US citizen living in Hamburg is covered by GDPR. An Austrian citizen living in the SF Bay Area is not covered by GDPR.
Don't know if this makes it easier or harder.
[+] [-] tzs|8 years ago|reply
I haven't yet read the whole of GDPR, so maybe there is something further in that changes this, but based on Article 3 that does not to be the case. Here's an earlier comment of mine that quotes Article 3 and discusses this [1]. Here's a link to a nicely formatted online copy of GDPR [2].
It appears to require protection when either (1) the entity processing the data is in the EU or (2) the person whose data is being processed is in the EU.
[1] https://news.ycombinator.com/item?id=16752857
[2] https://gdpr-info.eu/
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] cblock811|8 years ago|reply
[+] [-] justinzollars|8 years ago|reply