
Facebook to change user terms, limiting effect of EU privacy law - pwtweet
https://www.reuters.com/article/us-facebook-privacy-eu-exclusive/exclusive-facebook-to-change-user-terms-limiting-effect-of-eu-privacy-law-idUSKBN1HQ00P
======
IBM
Zuckerberg went to Congress and told them Facebook would support GDPR, as if
the only thing GDPR is are just some controls you'd do at the user interface
level (and as we learned today, that they're attempting to get around with
dark pattern designs [1]).

GDPR is much more comprehensive than that, but most importantly it gives data
privacy regulators real teeth to enforce with (fines up to 4% of global
revenue).

The only way Americans (or anyone else besides EU citizens) will get GDPR
protection is if GDPR-style regulation is enacted into law.

[1]
[https://twitter.com/zeynep/status/986591125262749696](https://twitter.com/zeynep/status/986591125262749696)

~~~
hartator
You are assuming GDPR is good. I don’t think so. I don’t want GDRP in the US.
The worst abuser of privacy - right now - is the government. I don’t think
putting redtapes on startups will solve anything.

~~~
martin_bech
That is a somewhat valid concern, but here in Denmark (EU) GDPR har actually
been helpful to highlight some of the data collection by the state, and some
of it, has been set on standby or at least been postponed because of concerns
(student mental health/well beeing, was so to be registered, and stored on a
SSN level “for research”)

~~~
mantas
Got any articles on that? I wonder what local agencies I could fuck with in my
country thanks to GDPR :)

~~~
eecc
Heh, several EU countries already have FOI laws in place. Together with the
GDPR regulation one has a handy and effective combination of tools to reign in
governmental abuse. Oh, I’d never imagine I would ever use the word “synergy”!
:D

------
mikekchar
This article is really confusing. Basically the point is that under the
current terms of service they tell you that if you are outside of the US then
you are doing business with their Ireland office. Since the Ireland office is
in the EU, it is subject to the GDPR. So that means that everybody outside of
the US will be covered by the GDPR (because they are doing business with an EU
company).

They are changing their terms of agreement to now say that people outside of
the US are doing business with the US company. This means that only people in
the EU will be covered by the GDPR. Probably that's what they should have been
doing all along, but there were probably massive tax advantages to running
their international company in Ireland.

For what it's worth, I'm a huge proponent of GDPR and I would probably do the
same thing -- at least initially. They have a _lot_ of users and GDPR is
_really tricky_ to implement when dealing with any manual processes. Limiting
your exposure is common sense.

I'm looking forward to seeing what actually happens to Facebook when GDPR
comes into force. You _know_ people are going to exercise their rights and I
just can't imagine they are prepared. As I've been going through this stuff in
my job I can't see any easy ways to sweep this under the carpet -- you not
only need to inform the user about what's going on, you actually need to
record the lawful basis that you've told them you are using. If you just say,
"Oh I have consent" then the user can withdraw consent. If you actually needed
that information (like the user's name!) then you are absolutely screwed.

I fully expect some thoughtful users to nail them to the wall. And when that
happens, I expect them to implement everything world wide because it will be a
lot easier/cheaper than maintaining different processes all over the place.

~~~
donogh
Not contradicting, worth pointing out for the Americans in the audience: even
if you have an exclusively US-based company, working with any EU users means
you _are_ in scope for GDPR.

The consequences for violating GDPR are quite severe -- up to 20 million euro,
or 4% of global turnover, whichever is _greater_. Again, this applies to US
companies even if it's a single record of EU personal data.

Furthermore, individuals are fully entitled to sue in the event of a data
breach, and there is legal precedent in the EU for compensation of between
10-15k euro _per person_.

As to the question of EU law applying in the US, just look to financial
regulation like Sarbanes–Oxley to see it going the other way.

~~~
morgante
> Again, this applies to US companies even if it's a single record of EU
> personal data.

This is part of why I think GDPR is a disaster for startups. It's a massive
regulatory burden which big companies will be able to comply with but small
startups don't have the legal horsepower to handle.

Typical EU regulatory overreach.

~~~
dogma1138
I don't know why people were downvoting this.

GDPR outside of the EU (for purely non-EU entities) is a non sequitur there
are zero internal processes to make it work.

Lets take the most basic example the GDPR does not apply in a vacuum it's
enforced and supported by Data Protection Agencies (DPA) in each member state
which are responsible to ensure that companies in those member states comply
with EU regulation like the GDPR within the context of local laws and
regulations.

The DPA is responsible for the application of the GDPR within it's member
state (and it's power is limited to that member state only but the GDPR does
have a few venues for applying a local DPA directive across member state
lines) it's also responsible for handling complaints in that state and it
provides directives and advice to both law makers and the industry.

If I'm a UK company and need to deal with the GDPR (till Brexit do us part) I
work with the ICO which is the UK Data Protection Agency. While other DPA
might affect me the ICO is my primary source of both advice and enforcement
and any issues that might originate in another DPA would still pass through
the ICO.

Now I am a company in don't know where lets take Argentina I want to sell to
EU customers which DPA do I answer too? which DPA to I ask for advice? How do
I arbitrate complaints filed against me and to which DPA do I prove I handled
data disclosure requests in a manner compliant with the GDPR? which DPA would
know my local laws to ensure if my application with the GDPR was complaint
with local data retention and lawful access laws? In fact other than going
through my own state/trade department and organizations what venue do I have
as a non-EU resident and a non-EU entity to any EU services and resources.

The question to all of this is none as a non-EU company there is fuck all you
can do even if you want to comply with the GDPR.

~~~
trumpeta
I'm not a lawyer, but I would think your Argentina company can be in one of 2
states:

1\. You have a subsidiary in EU, in which case that is who will get fined or
will have to deal with the DPA where it is registered 2\. You don't, in which
case the EU can not fine you?

~~~
dogma1138
Well the GDPR doesn’t define that it applies to anyone who touches PII
belonging to EU residents.

The logic dictates is that it won’t apply to companies that simply dont have
any legal presence in the EU.

But that is not defined because again there are no exceptions.

However PayPal might enforce it on you in fear of the EU going after PayPal
because it’s expected that all EU companies would require GDPR compliance from
their business partners overseas that perform any data processing for them or
are exposed to EU PII.

However how this compliance to be achieved, validated and arbitrated isn’t
defined either.

~~~
grabeh
Article 3 is clear about the scope of the regulation when an entity is outside
the EU. It states that it will apply where that entity is offering
goods/services or is monitoring data subjects in the EU. Enforcement is a
separate matter but the underlying law is clear. Art 2 then contains general
exceptions to the application of the regulation also.

~~~
dogma1138
It’s not clear at all by this definition if I sell guitar picks on my personal
store and I’m located in say Zimbabwe I’m either forbidden form selling it to
the EU or will have to comply with the GDPR which can be prohibitive to me due
to local laws.

The GDPR isn’t clear only anything it rewrittes agreeable concepts of
localization which have much more severe applications than simply the GDPR.

It also provides zero channels and infrastructure for non-EU entities to
comply to the GDPR in a manner which is offered to local EU companies.

If the GDPR would define its scope as if I can buy form you you must comply
what stops the EU form mandating I must collect VAT on their behalf?

~~~
grabeh
Laws are not always crystal clear in each case because to do so risks making
them capable of being worked around (and of course in some cases they are just
badly drafted - but I don't see this so much with GDPR). Laws are then subject
to interpretation by the courts and by lawyers. If you're having issues with
understanding laws, then you may need an expert to guide you, as in many areas
of life.

Recital 23 of GDPR will give you insight into how your Zimbabwean guitar pick
seller would be treated. If they are consciously offering picks to data
subjects in the EU, either through specifically referencing EU data subjects,
or through offering picks in EU currencies or tailoring the site for different
European languages, then they are likely in scope.

Conflict of laws provisions are a separate point, however in various areas,
the GDPR expressly states that legal obligations override GDPR obligations in
various areas.

Whenever any company considers that a law may apply to them (whether as a
result of operating in the country or because of the extra-territorial
implications of certain laws, like GDPR) they generally take advice from local
lawyers as to the implications or do independent research.

The regulation is obviously available and there is a host of interpretative
guidelines issued by the Article 29 Working Party which will enable anyone
with enough time and desire to understand the implications of compliance. I'm
not sure what kind of assistance you're looking for here? It's incumbent on
the party who wants to operate in a country/provide services to users in that
country to understand the relevant laws.

If you disagree with the extra-territorial application of the GDPR then that's
a separate issue. Bringing international tax treatment into the discussion is
also not of relevance.

~~~
dogma1138
Yes laws are not crystal clear but you don't understand the problem because
when laws are unclear in your country / union there is a clear channel to
debate it which is the regulator and the courts this channels are not
available to extra-territorial parties.

Add to that the fact that you now have laws enforced on you that you have no
control on how they were written or are enforced because you are not part of
the electorate that passed them.

International law is applied when 2 countries agree on a common set of rules
in which case you have 2 representative electorates which are mediating an
agreement.

The GDPR has no legal basis of application it's not part of any trade
agreement or any other international agreement between the EU and other
countries.

The claim that it somehow applicable is essentially tyrannical despite the
intent of the law the means through which and the fact that people support
it's universal application is terrifying.

What is even more terrifying is the likely means of enforcement which will be
through the multinationals.

>The regulation is obviously available and there is a host of interpretative
guidelines issued by the Article 29 Working Party which will enable anyone
with enough time and desire to understand the implications of compliance. I'm
not sure what kind of assistance you're looking for here? It's incumbent on
the party who wants to operate in a country/provide services to users in that
country to understand the relevant laws.

What are you even trying to say here? If I don't live in the EU, have no legal
presence in the EU I have no means through which I must comply with the GDPR.

Mandating that I would create a local legal entity to serve as a proxy in a
member state is a violation of existing trade agreements and WTO rules.

Enforcement of extra-territorial laws must be done through a process which is
agreeable and understood by all parties.

>If you disagree with the extra-territorial application of the GDPR then
that's a separate issue. Bringing international tax treatment into the
discussion is also not of relevance.

This entire debate is about the extra-territorial application of the GDPR,
bringing international tax treatment is super relevant because it's an
established framework and it already establish things like localization which
are critical for extra-territorial application that the GDPR must follow.

People really need to wake up and understand that the GDPR isn't about
Facebook or eBay, Amazon or the likes it applies to them equally as it applies
to your local dry cleaner or hair dresses which collect and process Personal
Information as defined under the GDPR and are subject to the full extent of
it's regulatory requirements.

What is more frighting is that through commerce of either tangible goods or
services this regulation can be applied to non-EU entities in not only a
extra-territorial fashion but in also extra-judicial one.

The reality is that either many small businesses or businesses regardless to
which the volume of trade they have with the EU is less than the cost of
compliance would likely be forced to stop offering services to EU consumers or
switch to a proxy like well eBay or Amazon.

The scope of regulation like FATCA or SOX which were mentioned here as
examples applies to institutions that can afford it and can handle it.

The GDPR applies to everyone equally, actually that isn't true if it applies
to non-EU entities it doesn't apply equally it's much more costlier to them.
If nothing else is then just by your ridiculous example "consult a lawyer"
then a GDPR lawyer in Belgium or the UK would be fairly cheap since it's an
established local law, to get the same level of advice and to get arbitration
with a DPA in say Bolivia you can't go to an ambulance chaser you'll be
limited to an international law firm. Not to mention that getting legal advice
for such services can be achieved for free in the EU through the local DPA and
or various organizations like Citizen Advice which provide legal assistance.

~~~
grabeh
> What are you even trying to say here? If I don't live in the EU, have no
> legal presence in the EU I have no means through which I must comply with
> the GDPR.

I was responding to your point that there were zero channels to help non-EU
companies to comply.

I’m really not sure on what resources you think are available to EU companies
that are not available to non-EU companies? You would definitely not get GDPR
advice at the Citizens Advice as they have more important matters to deal
with. To the extent a local regulator would provide guidance to an EU company,
I am certain they would also provide to a non-EU company looking to comply.
You present it as a clear distinction between EU vs non-EU companies but that
simply is not the case!

We can agree to disagree on the pros and cons of an extra-territorial law but
don’t misrepresent the position in terms of help available to EU vs non-EU
companies.

Also your point about hairdressers is nonsense. A non-EU based hairdresser is
very muh out of scope of GDPR!

~~~
dogma1138
Local DPA, local courts, local MPs, industry unions, EU MPs, EU high courts.

And please tell me how say I as a small merchant in any country outside of the
EU can get in touch with them and get services from any of them.

Better yet please tell me how a lawyer in Mexico or the Philippines would be
able to advise me on GDPR unless they are part of a top tier international law
firm which operates in the EU and has experience with GDPR.

Please let me know to which non-EU bar associations were provided with
materials and guidance and have conducted workshops and seminars in order to
ensure that they would be able to provide legal advice on this manner by a DPA
or any other EU regulatory agency.

>You would definitely not get GDPR advice at the Citizens Advice as they have
more important matters to deal with.

Wanna bet? citizens information board (CA in Ireland) already offers such
service (so does Citizens Advice Edinburgh), in the UK the ACF provides GDPR
related legal council to foundations, a lot of other industry organizations
offer similar services.

> I am certain they would also provide to a non-EU company looking to comply.
> You present it as a clear distinction between EU vs non-EU companies but
> that simply

They will not provide any service or information to you, in fact they are
forbidden from doing so trying contacting an MP who isn't yours or an agency
outside of your member state.

>We can agree to disagree on the pros and cons of an extra-territorial law but
don’t misrepresent the position in terms of help available to EU vs non-EU
companies.

There is anything to disagree about, this isn't about extra-territorial law
this is about extra-judicial application of it which is tyranny since you are
applying laws and regulation outside of the scope of international law and
frameworks. The fact that you accept this as something good makes me think
that the brexiters might have had a point.

>Also your point about hairdressers is nonsense. A non-EU based hairdresser is
very muh out of scope of GDPR!

I think you should practice on your reading comprehension I'm in the EU on the
25th of May I am submitting a data access request letter to my dry cleaner (I
like my hairdresser), Pristine Dry Cleaners just for the lolz and to show just
how ridiculous it can be.

I know for a fact that they have my name, address and phone number since it
was required during registration and I also know that their branch in East
Finchley shares the same database as the one in Lancaster Gate since I've used
both despite being different franchises so I really want to know who they
shared those with.

~~~
grabeh
Ok, my apologies for not picking up on the fact you are in the EU. Is it the
cost that is stopping you from making a subject access request today under
existing laws?

Apologies also - I took Citizens' Advice in the narrow sense of the Citizens
Advice Bureau (I used to work there so it's in my subconscious) who generally
deal with benefits, employment and housing law queries. I took a look at the
citizensinformation.ie and did a search for GDPR - I can't see much in the way
of materials unfortunately. ACF makes materials available which can be read by
anyone regardless of location. Sure, they might make advice available to local
entities, but this would be a small benefit to EU orgs vs non-EU orgs.

However I still don't really follow your point how organisations will approach
GDPR compliance in general and the idea that there is a massive gap between
what is available to EU entities versus non EU entities.

For lots of organisations, GDPR will not be on their radar, and life will go
on as normal post May 25th.

For organisations aware of GDPR, their route to compliance will be through
reading the source materials and supporting materials available on the Art 29
Working Party website. That is the case regardless of whether the organisation
is in or out the EU. They can consult materials from third parties like ACF
but the core materials are as above.

I don't really think contacting your MP or actually contacting a regulator is
something which many entities have actually done because actually the base
regulation and the interpretation notes are sufficient to understand what an
organisation has to do to comply (again available to anyone who cares to
read). In terms of court access

In terms of access to legal advice, then I don't quite think it's as bad you
paint out here! I've instructed local counsel in multiple countries direct and
it's a straightforward process and those firms were not part of a top tier
international law firm network. Often smaller local firms have firms of
similar sizes in other countries that they can refer work to. If other
peoples' implementations of GDPR are anything like my company's then the
extent of legal advice sought will have been limited.

I think overall I take your point that resources on offer to non EU companies
may be a more limited, but overall the core resources are the same. Lots of
non-EU entities have been working very hard on looking to comply with GDPR
using the above resources and taking local legal advice where relevant. I
agree that for smaller organisations this is more problematic, but this is the
case regardless of location to an extent.

I do take your point about the extra-judicial nature though. We will have to
see how things work out. My instinct is that for lots of companies it will be
business as usual and the local regulators will have bigger targets that they
want to go after.

~~~
dogma1138
The company I work for has been working on GDPR compliance for the better part
of 3 years.

We also maintain compliance in the financial sector and we have both very good
in house and external counsel which works with both the ICO and political
institutions to ensure we meet our compliance.

The fact is that as an EU citizen you have a say about how the GDPR is applied
and you have a say in how it will be enforced and interpreted.

As a non-EU entity you have no voice.

You also cannot ask for assistance from any EU or member state body.

You also don’t have access to DPA run events for example:
[https://ico.org.uk/about-the-ico/news-and-events/speaking-
en...](https://ico.org.uk/about-the-ico/news-and-events/speaking-
engagements/preparing-for-the-new-data-protection-act-and-gdpr-an-essential-
legal-seminar-for-schools-manchester/)

Now if you want a good comparison as you have worked for a legal aid
organization before you can likely estimate the hourly billable of a lawyer in
the UK to provide you counsel on UK or EU law vs say FATCA or SOX.

My bet is that it would likely be at least 3 zeros in difference.

The fear isn’t that a DPA would go after you, but rather that they’ll force
service providers to compell you to comply.

Under the GDPR for PayPal to remain compliant it needs to ensure that all
merchants that use it to receive payments from EU residents are also compliant
because you share your Personal Information with PayPal who then shares it
with the merchant (name, email, address, phone number etc.).

This is going to be the likely channel of enforcement not them dragging you to
court.

------
kalleboo
> But the fact that the button to reject the new Terms of Service isn’t even a
> button, it’s a tiny “see your options” hyperlink, shows how badly Facebook
> wants to avoid you closing your account.

> _When Facebook’s product designer for the GDPR flow was asked if she thought
> this hyperlink was the best way to present the alternative to the big “I
> Accept” button, she disingenuously said yes, eliciting scoffs from the room
> of reporters._

I wonder if I could live with myself if this was my job. Although I guess if I
got paid really well I would end up justifying it to myself somehow.

~~~
kartan
> I wonder if I could live with myself if this was my job.

You are in the company, you have a job to do, everybody else is doing it.
Other people share your concerns, but in the end, you have a feature to
deliver and you don't want to fail your team. Some people is really concerned,
they try to change things, they quit, they are tired of the pressure of going
against the managers and making it more difficult for their own teams. Peer
pressure, management pressure, etc. is an important factor. I don't think that
the people that do this things get paid better than anyone else.

I have been in too many situations where your team is in the "hamster wheel"
and is just doing without thinking. Fast-growing companies have the incentive
to run forward, quite often without so much direction.

It is easier to not join a job that you don't want, that to not do it once you
are already in. So, think before joining if that is what you want to do. Once
in, you will see that they are not evil people, that they are trying the best
to do their jobs. And that to change things is hard, even when is in the
company best interest, so much harder when the company will lose revenue.

~~~
joosters
I guess they're "just following orders"...

~~~
letsgetphysITal
Doesn't apply. If you resign from your job, you stop being paid. If you try
and resign from the Armed Forces, you're put in prison at best.

~~~
majewsky
You absolutely can resign from the Armed Forces, otherwise how would there be
veterans? The only difference is that you cannot resign mid-operation.

~~~
pbhjpbhj
Veterans may have retired (different to resigning), or been demobilised (like
being made redundant).

You can't resign from conscription, some countries have a system whereby
conscripts could serve non-combat roles; but usually it's fight or
death/imprisonment.

Apparently Germany had general conscription from 1935, but with lots of
exceptions. By 1943 all men up to 60 were being conscripted. Follow orders or
face a firing squad.

~~~
SmellyGeekBoy
Very informative, but what does any of this have to do with Facebook?

~~~
pbhjpbhj
It doesn't, it's background on a side-thread response to "just following
orders". The reference to WWII Germany being because the usual origin is that
this was used as a mitigation by those involved in the Wehrmacht.

------
kumarharsh
> Earlier this month, Facebook Chief Executive Mark Zuckerberg told Reuters in
> an interview that his company would apply the EU law globally “in spirit,”

How would they apply the law? They can't be prosecuted if they fail to uphold
the same law. Saying "we'll apply the law in spirit" is just moral posturing
IMO.

~~~
nemothekid
Asking them to apply an EU law globally is posturing as well. Both the
question and answer are nonsensical.

~~~
robryan
Interesting though as they are selling to the rest of the world from Ireland
in the first place to tax dodge.

~~~
Moru
And EU isn't totally ok with this either. No wonder Ireland got hickups when
UK voted to leave EU.

------
foxylad
I don't use Facebook, but could one build a service that automatically sets
Facebook's privacy settings to sensible options? A large part of the problem
is that changing these through the web site is painful in the extreme.

I suppose I'm asking if their API provides read/write access to privacy
settings. If so, there's a big opportunity here.

More generally, I'd like to see governments mandate that all FB user's privacy
settings be reset to the max, and force Facebook to realistically inform users
who want to loosen them about why they might want to do so.

~~~
cjhopman
Do you consider your privacy settings your personal information? Do you
believe companies should just be exposing that kind of information to random
other companies through an api?

~~~
pimmen
You could use the OAuth authentication API and let the user consciously giving
user settings access to the service. As long as the service doesn't do
anything with that data the agreement with the user doesn't permit, and the
data is deleted upon the user's request, the service is GDPR compliant.

~~~
ahartmetz
Impossible for technical reasons, like data sharing between WhatsApp and
Facebook proper. /s

------
rdiddly
So it's a weasel move. Let the record show that Facebook and Mark Zuckerberg
weaseled out of GDPR to the greatest degree possible given the opportunity.
It's all perfectly legal, but decidedly non-excellent and non-exemplary.

~~~
siruncledrew
Not surprised at all. Facebook is not going to change.

------
mieseratte
> Facebook members outside the United States and Canada, whether they know it
> or not, are currently governed by terms of service agreed with the company’s
> international headquarters in Ireland.

So would the GDPR have any protection for an Facebook-expatriate in the US who
does not agree to the new terms, or would they still have no standing in
European court as they are not citizen / residents?

~~~
CiaranMcNulty
The GDPR applies to people located within the EU, irrespective of citizenship.

So it would protect a US national in Berlin, but not a German national in New
York.

~~~
ozim
By people located you mean residents? Just to be more specific.

~~~
tialaramex
No, just that's where they are. The law says a US citizen who happens to be in
Berlin (maybe on vacation) is subject to German law. Fine says GDPR, I'm EU
law, so I apply to that US citizen too.

~~~
majewsky
That's how most of the law works. If I commit a felony while on vacation, I'm
subject to the penal code of the country I'm visiting, not the one where I
have residence.

~~~
ozim
There are more scenarios.

I am US citizen I have residency in US and I make new account (make contract)
with company providing service that is based in US with rules as in US. I
visit Berlin for a week and I log in into account to use the service. Is that
falling under GDPR?

I am US citizen I have residency in US and I go to Berlin where I make new
account (make contract) with company providing service. Now I go back to US
and login to use service. Is this one also falling under GDPR?

Which law is applicable to contracts between two parties going into contract?
Usually in formal contracts you have place and date. I assume you agree on
laws of place where contract is made. So if you are at the moment in Germany
that is the place of making contract.

I think also criminal law and civil law are quite different in many ways so I
would not draw conclusions based on how commiting felony is handled.

------
maaaats
> _Facebook to change user terms, limiting effect of EU privacy law_

Ironically, EULAs ar not really enforceable in the EU. So had this been the
other way EU citizens would also have been protected.

~~~
ckastner
This isn't about EULAs.

------
ironjunkie
So, does GDPR applies to ?:

\- European citizens only currently living in the EU ?

\- European citizens worldwide ?

\- Everyone currently living in the EU ?

As a European living in the US, I'm wondering.

~~~
tzs
See Article 3, "Territorial Scope", here [1]. It's fairly clearly written.

[1] [https://gdpr-info.eu/art-3-gdpr/](https://gdpr-info.eu/art-3-gdpr/)

~~~
shiado
What is funny about this is that in order to make the nontrivial determination
that a subject is in the Union Facebook has to use all available personal data
they possess about the individual such as IP history (consider the possibility
of a European using an American VPN which still makes them European),
geolocation history, etc... But upon establishing that they are in the Union
the data they used to determine they are in the Union becomes a liability
whose nonexistence would have prevented Facebook from determining if a person
is in the Union. In other words they need to use personal data to determine if
they need to protect and limit a user's personal data. Perhaps Facebook needs
to assume all users are European?

~~~
Sir_Substance
[https://gdpr-info.eu/art-11-gdpr/](https://gdpr-info.eu/art-11-gdpr/)

------
chrischen
User's generally won't care about privacy, but they will care about money.
What this essentially boils down to is Facebook is charging users by taking
their data, which is worth some amount of money.

~~~
_rpd
Website terms and conditions could ask for a pint of blood from their
firstborn and people would still click okay. No one reads these things. The
GDPR is just going to end up being a more annoying version of the cookie law.

~~~
sgeisler
I'd be interested if you could ask your users if they are _not_ a EU resident.
Only if they click yes go ahead, otherwise show that you will not serve them.
Probably 90% would learn to click the "Not from EU" button. Who should hold
you accountable for false user input in that case?

~~~
Thiez
In the case of Facebook, people people upload photos with gps data, attend
events that have an address... No judge would accept the 'but they said they
weren't a EU resident' argument.

------
ggm
Hmmmm. Does this mean that the Irish Dutch triple sandwich tax thing will
break and facebroke is now paying US taxes?

~~~
whostolemyhat
The article mentions that they'll still try to claim revenue through Ireland
for non-EU users, but that non-EU users technically have an agreement with the
US company.

So no idea, basically.

------
gaius
On May 26th I would like to log into FB one last time and say “permanently
really-delete all my data and never gather any on me ever again”. Will that be
possible?

~~~
majewsky
Probably better to send a letter.

------
buro9
How do they manage the "no tax implications"?

If the Irish entity has a licence for the IP, and 70% of the value of their
licence is transferred elsewhere, than how does this not realise that value to
the Irish entity and not be taxable?

I am obviously not learned in this area, but the sleight of hand to move such
a huge amount of value from one entity to another seems to me to create a huge
tax liability now that the value would be leaving the tax domain.

~~~
return1
Facebook users don't pay facebook however, only advertisers do. It seems only
a small percentage of non-EU advertisers went through the ireland HQ

------
phonebucket
Is this news? Facebook had already stated that it wasn’t applying GDPR to non-
Europeans.

Also, the headline is misleading: it makes it sound like FB is trying to get
around laws. Really, all it’s doing is applying laws in the required
jurisdictions, which is how things always work. Where’s the controversy?

~~~
rmc
> _Is this news? Facebook had already stated that it wasn’t applying GDPR to
> non-Europeans._

Yes. Previously anyone not in the USA or Canada had a legal agreement with
Facebook Ireland Ltd. So there was an Irish/EU company which was processing
personal data for lots of people (inside & outside the EU). The GDPR says it
applies to (i) people in the EU or (ii) companies in the EU who process _any_
personal data. So if Facebook Ireland Ltd did something against EU law with
the personal data of (say) someone from South Africa, then EU law could take
that up.

BTW The GDPR never mentions citizenship, merely presence in the EU. non-
Europeans in the EU are covered too.

------
furyg3
How does Facebook determine if a user resides in the EU? Based on the location
that they give Facebook? Based on their IP address? Phone number?

~~~
apexalpha
99% of people give FB their location.

Perhaps as just if (EU IP | EU LANGUAGE | EU PHONE NUMBER | EU LOCATION SET)
== EU.

Just to be safe for a massive 4% of global REVENUE fine.

~~~
furyg3
Yeah my question is not does facebook know your location (they do), but what
criteria are used to determine if you are under the legal regime of the GDPR.
If it's just the location you set, I would advise my non-EU friends to set
their location to somewhere in the EU.

------
mtgx
It would be hilarious if a future U.S. government enacted even stronger user
privacy protections than the GDPR.

What will Facebook do then?

------
joering2
Couldnt they move all they servers to some thid world country and just dont
care about Gdpr at all??

~~~
zenhack
They'd also have to stop being based in Europe (they're officially
headquartered in Ireland, because tax evasion), and (here's the kicker): stop
doing business with all of Europe. Even if they had to say screw it and not do
any targeting of their adds at all, it really wouldn't make any business sense
for them to take their ball and go home.

~~~
lwansbrough
I think the EU government would be in more trouble than either Google or
Facebook if both companies decided to stop servicing all EU citizens. I think
the only reason big companies aren't threatening that is because GDPR gives
them a massive advantage over small businesses and basically permanently
solidifies their positions on top of the tech world in those countries.

~~~
lovich
That would be a massive dystopia if companies had more power than an entire
continents democratic governments. Might as well just make way for the
megacorps and corporate citizenship at that point

~~~
lwansbrough
> That would be a massive dystopia if companies had more power than an entire
> continents democratic governments.

Governance is balancing individuals' and corporate interests. Companies like
Google and Facebook have a tremendous amount of power because they're the
gateways to information. Those two companies alone _are_ the internet for many
people. Far fewer people would push for the over-reaching GDPR legislation if
they knew it would impact their ability to use the internet as they know it
(which it does, ultimately, one way or the other.)

