
Facebook urged to make GDPR its “baseline standard” globally - wpasc
https://techcrunch.com/2018/04/09/facebook-urged-to-make-gdpr-its-baseline-standard-globally/
======
quantumwoke
There's been so many articles about Facebook and the recent privacy
catastrophe that I'm finding it hard to keep up. Does anybody actually know
what their response will be to the GDPR? Are the privacy benefits from the
GDPR going to be exclusive to EU citizens? This seems problematic.

Whatever happens, Facebook has irreparably damaged my trust in their handling
of user data and I think many on here would agree. My wife and I have switched
to Riot [0] for now for personal communication and are considering other
decentralized alternatives.

[0] [https://about.riot.im/](https://about.riot.im/)

~~~
bertil
GDPR requires you to handle personally identifiable information in a way that
makes sense to the users and that is auditable. Facebook overall does that far
better than anyone.

The situation with Cambridge Analytica was that they let users export the
information about their friends, information that users had access to; not
allowing that export at all would probably be met with legally-binding
criticism. What the API allowed at the time was to conveniently do that
through a third-party application that users were free to use. The main use-
case that was discussed then was to empower services like Riot, to encourage
competition — something that, surprisingly, Facebook was very supportive of at
the time.

There was no expectation of fiduciary duties at the time, so whether they
should treat users as grown-up and obey to their request to export their
social graph, or whether they had a duty to prevent that from happening was
not clear at the time. It has since became clear that people were not reading
the permissions that they were granting and more applications were abusing
them than trying to build an alternative to Facebook. With the benefit of
being the central platform, Facebook was the first to notice and started
cutting accesses, to the great anger of many third-party services that grew
dependent of the feature. Some services who needed the social graph for
legitimate reasons well understood by the users (e.g. Tinder) have kept their
now-not-publicly available access.

As much as people want to blame the only site that they can see in the process
and the one that appears the most powerful, namely Facebook, the company acted
with far more awareness than the law would, even with something as progressive
as GDPR in action.

Facebook not only has been very effective at showing me and letting me edit
the data they have about me in
[https://www.facebook.com/ads/preferences/](https://www.facebook.com/ads/preferences/)
but they are the first service that let me see whether my data has been sold
by data brokers to (often unsuspecting) brands. Check the “With my personal
info” section. Do you see companies you have never heard about here?

Don’t be misinformed and attack Facebook for selling your data — they did not.
They are the ones revealing to you that those company purchased it from
elsewhere and allowing you to know who to pursue, who to ask to remove your
info or who to ask how they got it.

The amount of blaming the nurse for your fever on those issues is getting
really concerning.

~~~
ceejayoz
> The amount of blaming the nurse for your fever on those issues is getting
> really concerning.

The nurse is being blamed because they've ignored clear, worsening symptoms
for years.

~~~
bertil
I’m sorry: what problem do you think Facebook is ignoring? I have heard
interesting arguments elsewhere — but not on the company _ignoring_ anything.

All I’ve heard in this thread is people judging the company in hindsight, and
based on a rather convoluted speculation (that happen to be false: Cambridge
Analytica used credit card data and voter records, not Facebook data, to
assess psychological profile).

Facebook has made difficult decisions with partial information that ended up
proving to be suboptimal — but I don’t see when they have ignored either
symptoms or criticism.

~~~
ceejayoz
> I’m sorry: what problem do you think Facebook is ignoring? I have heard
> interesting arguments elsewhere — but not on the company ignoring anything.

I think they've been willfully ignoring the likelihood that this sort of data
exfiltration has been happening on a very widespread level for years. Many of
those 800,000 "quiz" apps are likely designed for this purpose, and their
proliferation should've set off warning bells inside Facebook - it did
_outside_.

Zuckerberg's being out there acting like this was all an unforeseeable,
shocking, limited-scope issue is disturbing to me.

------
taylorswift_
Is anyone talking about the harmful effects on startup companies that may want
to create new social platforms to compete against the incumbent players? All
the talk about regulating facebook, twitter, etc are actually great for those
companies because they can afford compliance. But it raises the bar of entry
so high that new companies wouldn't be able to compete since with limited
resources they wouldn't be able to focus on the critical period of acquiring
users and instead would be forced into building compliance features.

I firmly believe that the majority of people still don't care about their
privacy in the first place or they wouldn't use such platforms. IMO this is
government overreach and anti-competitive.

~~~
j32fun
I think a few blogs have touched on this:

* [https://www.linkedin.com/pulse/nightmare-letter-subject-acce...](https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/)

* [https://www.smashingmagazine.com/2018/02/gdpr-for-web-develo...](https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/)

* [https://wtfuh.com/2018-04-09/gdpr-has-a-few-problems/](https://wtfuh.com/2018-04-09/gdpr-has-a-few-problems/)

* [https://pagefair.com/blog/2018/granular-gdpr-consent/](https://pagefair.com/blog/2018/granular-gdpr-consent/)

~~~
taylorswift_
thanks, wow responding to a letter like your first link could significantly
bog down resources for a young company... you can imagine if you launched and
even received moderate user growth early on, but then started receiving such
letters, your productivity could go down the tubes.

~~~
ryandrake
Honestly, those questions should be pretty easy to answer especially if your
company is small. If as a business you can’t answer these basic questions
about the data you want to collect from me, I’m going to be hesitant to share
it.

People keep sharing that “nightmare letter” link but won’t point out which
question gives them nightmares and why.

~~~
Fradow
I'll point out which question gives me nightmares, as the founder of a EU
startup:

\- the requirement to have a DPO. Based on the requirements for the DPO, no
one in the company can fill the role (conflict of interest), so we must hire
an employee or consultant (expensive either way for a small startup)

\- one month to respond. That's a lot of informations to collect the first
time, and I might have other fires to put out (or I have to be pro-active and
have a prepared respond, which has the take the place of something else
important to do)

\- the sheer amount of informations to collect. In the age of plug and play
solutions, that's a LOT of things to audit (Mailchimp, AWS, GA, Heroku,
various Wordpress plugins, logging solution I don't even remember the name,
just to name a few)

\- tracking every single PI of a user. If your systems are not built for this,
it's going to be lengthy. If you were created before the GDPR, they are
probably not.

\- tracking down the usage of those PI may be complicated depending of the
expected scope and usage you do (fortunately for me, there is no ad nor data
resell, so really only the scope is the problem)

\- some process asked for have a serious implication you should have some and
do some sort of things. This is not feasible for a small startup.

It boils down to: it takes time, and time is something I'd rather use for
something else, and it also requires to do things that have huge fixed cost
that the size of a small company can't absorb (at least not until there is a
ready-made solution).

I define small startup as startups with less than 20 employees, that might
have received Seed funding but not more. Those points might not all be
applicable to a new startup created with GDPR in mind.

~~~
taylorswift_
thanks for this. so what's your advice for a social startup building a new
platform in today's data-privacy concerned world?

~~~
connorelsea
Simply build a secure and private platform, don't be reckless with user data.
Health startups already deal with this through HIPPA and it isn't really a big
deal, just common sense practices for security and privacy

------
benevol
I don't think that anybody should try to fix Facebook, because it's just not
realistic.

Facebook simply needs to give way to a more evolved and humane way of "social
networking".

~~~
paulie_a
Facebook should just go away

------
ggregoire
"[any big US tech companies] Urged to Adopt GDPR Globally as a Standard"

As an European living abroad, I still have no idea if I will be protected by
the GDPR. I read at least 2 opposite answers on HN on the last days: "yes
because you are a EU citizen", "no because it's where you are when the data
are collected that matters".

~~~
tzs
Check out Article 3 of GDPR, "Territorial Scope", for some guidance on that:
[https://gdpr-info.eu/art-3-gdpr/](https://gdpr-info.eu/art-3-gdpr/)

~~~
emddudley
I read it and I am still confused.

Does "in the Union" mean within the geographic borders of EU states?

Does "established" mean having a physical presence? Having been incorporated?
Registered with a regulatory body? Having remote employees who live there?

~~~
nolok
You have to physically live in the EEA, or the company doing the data
collecting has to be located in an EEA member country.

If any of those two, or both, covered. If neither, not covered.

------
JumpCrisscross
“Urging” Facebook to do anything not in its commercial interest isn’t worth
squat. Best case: another vague promise to be broken as soon as we forget.

Facebook needs to be broken up and an American GDPR codified into law. If you
care about this, pick up the phone and call your Congressperson and Senators.

~~~
cozicoolmail
Broken up into what? It's not Facebook's monopoly over social media that's the
issue being discussed.

------
jrs95
With all the comments about not wanting EU law to be the international
standard, it’s not really that unusual for regulations in one country to do
this. For example, U.S. fuel efficiency standards have a significant impact on
the entire market. If these are reduced by the current administration, but
California maintains the same standards, even California’s regulations might
be enough to keep the same or nearly the same impact on the market.

------
wdr1
It seems reasonable to wait for GDPR to take effect & see the results before
adopting it as a global standard.

------
silentguy
Could GDPR be the end of Facebook? GDPR mandates that the user data be
portable. Users can now download their data and upload it to a new social
network. What is stopping a new startup to come and create a social network
where users upload their facebook data.

~~~
schrep
People have been able to download their Facebook info since 2010:
[https://techcrunch.com/2010/10/06/facebook-now-allows-you-
to...](https://techcrunch.com/2010/10/06/facebook-now-allows-you-to-download-
your-information/)

Available here:
[https://www.facebook.com/help/131112897028467](https://www.facebook.com/help/131112897028467)

------
oculusthrift
One thing that concerns me is the security concerns with the export function
in GDPR. So now a hacker can get in and just export all my data in an few
minutes so that changing my password won’t lock them out?

------
hodder
I'm curious, would anyone surprised by FB actions mind describing how you
expected FB to act with what specific data, and how FB actions deviated from
that expectation?

I was under the impression that most people fully expect (even if they
disdain) free web services vacuuming any and all user data for advertising
profit.

Is this data selling/ad targeting a surprise, or rather is it just finally
enough to make you leave or get upset even though you knew that was the
business model all along?

Also, are you quitting other web services that operate ad based, data driven
revenue models like Google, Reddit, Twitter, etc?

This is a genuine question not a sarcastic comment.

~~~
sixothree
It is completely obvious that many people did not understand the extents to
which facebook accumulates data. I don't think anyone in this thread even has
actual knowledge to the full extent.

It is even harder for most people to understand the implications of even small
amounts of data collection.

------
Karishma55
As an Indian citizen I would like to oppose this pseudo colonising attempt. EU
is anyways a basket case bureaucracy and most member nations are considering
leaving EU, Britain having left it already.

I see not reason and logic to the fact that nations who have not opted in into
this be subjected to laws that are essentially created by no-skin-in-the-game
bureaucrats.

Such attempts should be opposed at all costs.

(I know this "urging" is supposed to be "voluntary action" by facebook but
nevertheless stinks of the same white man's burden colonizers talked about)

~~~
richardwhiuk
1 out of 28 is not most, and that was on a knife edge vote.

~~~
isostatic
26% of the country (many who have now died) voted to leave the EU

------
tahw
They have no way to tell who is/isn't a citizen so just change your location
to Frankfurt and voila, you're protected by GDPR!

~~~
rmc
GDPR applies to residents (of the EU), not citizens.

And I presume Facebook has so much data on you that a simple trick like
changing your profile won't matter.

------
pfarnsworth
Having worked on GDPR, it is unnecessarily harsh and in no way, shape or form
would I support this standard going global. There are plenty of ways to make
users data completely private without being ridiculously overreaching the way
GDPR is. And having the sword of infinite lawsuits hanging over your head has
and never will work, look at how ambulance chasers in the US have taken the
most mundane laws and turned them into free money.

~~~
908087
If the industry didn't want what they're trying to spin as an "overreaching"
standard like GDPR, maybe they shouldn't have spent so much time and effort
seeing how far they could push their abuse of users' privacy.

~~~
pitaj
Maybe governments should remove the plank from their own eyes before attaching
the voluntary association eye splinters in the market.

------
riantogo
Towards what end? GDPR is not going to (or meant to) eliminate targeted online
advertising. Which means it is not going to thwart Cambridge Analytica and the
likes. We need to address the root of the problem, which is money/advertising
in politics.

------
jacksmith21006
Makes sense. Think Google is already there.

------
encoderer
Maybe it’s my American DNA but I don’t want European laws. I don’t suspect
this to be a popular sentiment here.

~~~
adtac
How is the country/continent of origin of a regulation that is entirely in
your best interest of any relevance?

~~~
JumpCrisscross
> _How is the country /continent of origin of a regulation that is entirely in
> your best interest of any relevance?_

Laws carry their culture. GDPR is, from an American perspective, an overworked
mess designed to support a big bureaucracy. This side of the Atlantic, we'd do
something slimmer, more reliant on privately-funded cases (and regulatory
complaints) versus public ombudsmen, and better attuned to start-ups’ needs.

~~~
StashOfCode
Indeed. A law is just a text in a hierachy of norms, and so is this text.
Accordingly, its weight may vary from country to country in the EU, first
because the relationship between the Constitution of a country and the EU
norms may not be the same. Moreover, one should not forget that enforcing a
law requires a whole judicial system, and once again, this judicial system may
vary from country to country in the EU. Think of the GDPR as a program : it
runs with some privileges in a given software context and requires some
hardware ressources to run.

IMHO, as an EU citizen, an American perspective would be welcome. A text must
fit the local hierarchy of norms and the local judicial system.

You may read this article related to this point of view :
[https://www.economist.com/news/leaders/21739961-gdprs-
premis...](https://www.economist.com/news/leaders/21739961-gdprs-premise-
consumers-should-be-charge-their-own-personal-data-right)

------
pdog
It would be absurd for Facebook, a US company, to adopt as a global standard a
framework that's entirely decided and enforced by the EU.

Perhaps a global data protection framework can largely conform to GDPR, but it
clearly has to be decided in the US.

~~~
izacus
It's as absurd as Google/Facebook/et al. adopting US cultural norms as global
standard of banning ads, YouTube content, social media content and everything
else for the whole world.

Meaning: not absurd at all.

~~~
JD557
While I don't agree with some of Google/Facebook/et al. standards, I think
that's not a fair comparison, since they are US based companies following US
cultural norms, not EU based companies following US cultural norms.

~~~
desas
Facebook and Google have many subsidiary companies based in the EU

~~~
monocasa
At not just little subsidiaries either. Up until very recently, all ad revenue
was going through their Irish subsidiary.

------
StashOfCode
But is it possible to fix a leaking ship once it has been sailing in the sea
of information? A new logo for the firm: [http://www.stashofcode.com/facebook-
the-leaking-ship/](http://www.stashofcode.com/facebook-the-leaking-ship/)

------
sakabaro
I think in the opposit we should urge US companies to fight against GDPR.
Local foreign laws shouldn’t dictate how our companies should behave. Why not
respecting speech laws in China or in Russia if we follow this precedent?

~~~
RussianCow
Are you really comparing GDPR to Chinese speech laws?

~~~
sakabaro
Yes, both are infringing 1st amendment. It’s not because GDPR seems more
acceptable than it’s not built on bad premises.

~~~
JumpCrisscross
> _both are infringing 1st amendment_

The First Amendment protects you from the government. Facebook censoring you
is not prohibited by the First Amendment. More broadly, I don’t see how GDPR
interferes with one’s right to lawful political speech.

~~~
methodover
He means that both China and the EU (with the GDPR) infringe on freedom of
speech.

~~~
isostatic
How does the GDPR interfere with one’s right to lawful political speech?

~~~
sakabaro
First amendment is protecting all speeches except direct threats of violence.
Right to be forgoten is by essence incompatible with the first.

~~~
M_Bakhtiari
It says nothing in the text of the first amendment that direct threats of
violence are not covered. If that restriction is compatible with the first
amendment I don't see why a future right to be forgotten can't be.

