Yet, they are doing two other things which cause concern.
First, they have moved all non-EU citizens data from Ireland to the US, so that it is not subject to the upcoming EU GDPR.
As a brief reminder, the GDPR, effective from May 25th has the following key strands:
- It ensures that we all have easier access to own data (what data is held & by who)
- It requires businesses to provide real clarity on how personal data is processed and used
- It gives every individual the right to data portability, making it easy to transfer data – and to delete
- It requires every organization to appoint a Data Protection Officer, who, amongst other things, must report breaches
- And breaches / non-compliance can lead to big fines (4% of turnover)
So, from a personal privacy and data protection point of view, GDPR is a VERY GOOD THING.
The UK has said that it will comply with GDPR even after Brexit, not least as it is a requirement that any firm that does business in Europe should comply with GDPR. The Information Commissioner’s Office (ICO) will have responsibility for UK GDPR compliance and investigation of breaches. They have published an excellent Guide.
There is some danger that the UK Government will modify certain provisions in the new UK law which enshrines GDPR – that’s for another post.
The US, by contrast, does not have any equivalent Federal framework – and also has historically tended to side with businesses and not individuals in this arena. We will see if the Cambridge Analytica/Facebook controversy alters that.
In any case, back to Facebook. By moving the data of 1.5 Billion people, they are not offering them the same data protection as European citizens. Why?
Well, the answer is in the second thing that Facebook are doing.
They are rolling out new privacy agreements, to confirm that all users know what is happening with their data – with a series of opt in and opt out buttons. It is fair to say that knowledgable tech journalists laughed at their implementation, as it was all clearly skewed to default in Facebook’s favour.
In particular, when you have a chance to sign off on your agreement with Facebook, be very careful on the facial recognition button ..
A colleague of mine wrote an excellent analysis of this situation – see Bloor Research Blog
So, here’s the point of this post. The GDPR, and all other attempts across the world to protect our data and privacy, are in the Customer’s best interests.
Attempts to ‘get round’ GDPR, however subtle, are essentially attempts to deny Customer rights.
They demonstrate that the company is just NOT Customer Centric, whatever they are calling themselves in their marketing.
And a related point. Just because you can do something with technology doesn’t mean you should.
People want cool, not creepy.
Also, an update. Cambridge University rejected a research proposal (in 2015) based on Facebook data because the privacy issues were not properly dealt with.
This story is not going to end soon. One day it will begins a) a textbook case-study of how not to use personal data and 2) a textbook case-study of how not to handle a PR crisis. More chapters to be written first, though. And remember, Mr Zuckerberg, just because you can do something technically, it doesn’t mean you should, ethically.
Anyone at Facebook hearing this?