
Facebook CEO says no plans to extend all of GDPR globally - troydavis
https://www.reuters.com/article/us-facebook-ceo-privacy-exclusive/exclusive-facebook-ceo-says-no-plans-to-extend-all-of-european-privacy-law-globally-idUSKCN1HA2M1
======
ejlangev
Best endorsement of GDPR they could possibly make. Everyone knows Facebook
collects more data than most people probably want so it follows that a privacy
law they don't want to roll out everywhere must help curtail that to some
degree.

~~~
amelius
Playing devil's advocate: it could also be that their implementation of the
GDPR necessarily restricts functionality from the user's point of view. And
they simply want their users to have the best (in their view) possible
experience.

~~~
smt88
GDPR can't restrict functionality that I want because if I really wanted it,
Facebook would ask me to opt-in and I would.

GDPR doesn't penalize or prevent innovation. It just forces it out into the
open.

~~~
amelius
The GDPR still limits developer speed/freedom, and supposedly Facebook can
build new stuff much faster without having to deal with the GDPR at all.

~~~
Barrin92
In the same sense as medical trial guidelines diminish scientist freedom and
safety regulations regulate the freedom of engineers. Sorry, but just as I
demand that if I walk into a hospital I'm being treated safely, consumers can
demand the same thing from me as a developer.

Compared to the freedoms of millions and billions of uses my 'developer
freedom' is pretty far down the list of things that matter. As developers we
are servicing people, they are not our lab rats.

~~~
friedman23
Social networking software is not in any way equivalent to medicine so thank
you for making this false equivalence because it proves the point that these
regulations are ridiculous.

If you don't want facebook to track you don't make an account on their website
and don't click any of the stupid buttons on their website.

~~~
Barrin92
Having seen the influence social media can have on our discourse and even our
political systems, including manipulation of democratic elections I think that
comparison is absolutely warranted. It is the infrastructure of our modern
communication, not just a 'website with stupid buttons'.

------
Someone1234
At some stage Americans need to expand their definition of what "freedom" is.
Right now maintaining freedom from government is almost a national passtime
(and arguably quite effect), but in the meantime infringement from private
organizations has expanded and I'd argue is now the predominant issue facing
your average citizen.

You have HOAs acting as government, tech companies acting as intelligence
organizations, private security acting as police, and heck even private
companies buying up roads/bridges maintaining them and charging a fee.

The whole "make a different choice" retort whenever private organizations do
something evil is getting less and less believable with every passing day. For
example, in a lot of cities almost every neighborhood has a HOA.

~~~
insickness
While there certainly is room to improve privacy legislation, it must be done
carefully. More legislation is not always better. For example, I'm strongly
against forcing search engines to remove entries based on a single person's
'right to forget.'

~~~
rhizome
Then let's talk about _how_ careful. "Right to forget" premises data ownership
by the person, with which you apparently disagree.

So, if people should not have complete control over data about themselves,
where should the line be drawn on the usage of that data when people can't
tell companies what to do with it? Who should draw that line?

~~~
jaredklewis
You seem incredulous that anyone can have a good faith argument against the
"right to be forgotten."

One person's right to be forgotten conflicts with the public's interest in
knowing things. For example, if a given doctor has botched several surgeries,
and I am considering to become his patient, the doctor's right to have those
incidents forgotten conflicts with my interest in knowing his track record.
This is one example, but such cases are myriad.

Of course the laws surrounding the right to be forgotten in Europe are not
boundless (though they are, to my mind, quite vague) and I'm sure supporters
will be quick to point out the the case of the doctor above may not be covered
by the right to be forgotten. And that is a nice point in theory, but in
practice is moot. Europe has put the burden of correctly determining what is
in the public interest squarely on the shoulders of online aggregators. If an
aggregator's interpretation of a broad set of laws is later found to not be in
keeping with the opinion of European courts, the aggregators are the ones that
will be footing the fines.

Forcing search engines to all become court systems which adjudicate millions
of cases is extremely onerous. Companies are not going to spend billions doing
that. They are just going to remove whatever requests they get, DMCA style.
The end result is that Europe has given everyone a more or less unrestricted
delete button. Google has already delisted more than a million URLs (including
for a doctor that botched several surgeries).

Further, until the the whole world gets on board, I imagine there will always
be access to search engines that do not delist results. So not only are
companies forced to rubber stamp millions of delist requests, it's also
completely pointless!

Personally, if society believes the right to be forgotten is worth enshrining,
instead of shirking responsibility of actually enforcing it onto tech giants,
we should have the courts adjudicate the requests so that the public interest
will be appropriately weighed. Of course this will be much more expensive, but
like health, education, and so on, doing the right thing is often expensive.

~~~
rhizome
We agree, but it's a hard question that's going to keep coming up. Not from a
standpoint of morals, but of privacy.

------
somberi
I had posted it on the other link as well where Panera Bread's leaks were
discussed (1 and 2), but since it is relevant to this discussion, reposting it
here. I have edited my conclusion a bit from the original two postings:

Commenting only on the speed of response (or the glacial interpretation of it
in Panera's case):

For companies operating in European Union, the General Data Protection
Regulation (GDPR) (3) mandates that such breaches need to be disclosed under
72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks
to go).

Underarmor, a US-based sports apparel manufacturer, who operates in EU as
well, recently had a breach that affected 150-million users, and went public
within 3 days of discovering the breach (4).

I believe UnderArmor's case is the norm we can expect going forward. As most
companies are not "tech" in nature, unlike FB which happens to be one, it will
make sense for them to keep just one security policy and the legally mandated
strictest one may be the dominant policy across the enterprise.

(1)[https://news.ycombinator.com/item?id=16739753](https://news.ycombinator.com/item?id=16739753)

(2)
[https://news.ycombinator.com/item?id=16741391](https://news.ycombinator.com/item?id=16741391)

(3)[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)

(4)[http://www.bbc.com/news/technology-43592470](http://www.bbc.com/news/technology-43592470)

~~~
trampypizza
It's worth noting that Article 33(1)[1] states that a breach must be reported
to the local supervisory authority unless said breach is 'unlikely to result
in a risk to the rights and freedoms of natural persons'. This call is made by
the organisation which suffered from the breach, by the way (certainly in the
absence of any case law).

It will be interesting to see the interpretation of that clause in action,
specifically when looking at information such as IP address which is still
considered a grey area.

[1] [https://gdpr-info.eu/art-33-gdpr/](https://gdpr-info.eu/art-33-gdpr/)

~~~
consp
While the decision to do/not-do is up to the company; They still have to
document it (in any case, even non-personal), mention the reason for not
reporting (e.g. "it's only an IP address") and make that document available
upon request.

So if the breach turns out to be a bit more major than then want every one to
think it is and it turns out that it was major in the end, there either is a
paper trail or worst case for them no paper trail and probably a worse fine.

------
acjohnson55
It's unfashionable to say this, but I get a lot out of using Facebook. But I'm
now thinking hard about getting by without it.

~~~
exolymph
Upvoted you for admitting that Facebook is a useful product.

~~~
maym86
Not because it's a particularly good service. Mainly because everyone is on
there. It would also be fine if everyone was on Google plus or anything else
but it's the only place where I know I can reach most people I know.

~~~
jokoon
I stopped using facebook in 2008, and I wonder if my social life degraded
because of not using it.

Since everyone is on it, it would make sense that not using it would "exclude"
you or a social standard or norm.

There are two sides to this.

First, I don't since exchanging on facebook is relevant or meaningful social
exchange. Teamspeak or skype are more meaningful, but facebook only brings
delayed text, photo and video, while real time matters more.

The second side is that as I've discussed already, there are no discovery
feature on facebook. You don't make new friends thanks to facebook, you only
do with Tinder, meetup, Uber, etc. The friendship relation in facebook is one
of exclusivity. I don't think facebook events or groups are really attractive
to users, or really do create new friendships, beyond the classical scenario
of real life meeting. If you make new friends, it's not really thanks to
facebook, because organizing an event can be done on any other platform, or
even by email.

So it's true that user base matters a lot, but facebook seems to have little
to no usefulness. It's just for messaging, posting photos, event exposure.
It's just a very large myspace, with improved features, but it brings nothing
new to the table.

~~~
icebraining
_facebook only brings delayed text, photo and video, while real time matters
more._

You mean, except for FB Messenger (and Whatsapp, which should be included if
one it talking about the company practices).

 _The second side is that as I 've discussed already, there are no discovery
feature on facebook._

I'm not a user, but AFAIK it does suggest friends to you. Plus, you often
interact with friends-of-friends (e.g. through comments on posts of your
friends), which does allow you to discover new people.

------
shiado
How does Facebook distinguish between US and European users? Does it do it
based in IP address? On GPS data it slurps up from mobile applications? On the
manually selected city the user specifies that they live in? Facebook also
operates a TOR service, how can it comply whilst not knowing where the user is
signing in from? Does a European user who uses an American VPN become
classified as an American user and vice versa? There is probably a business
opportunity here somewhere to provide European data privacy as a service. It
all seems pretty complicated.

~~~
rando444
European data privacy is the GDPR.

If a company wants to operate in Europe and accept European customers, they
abide by the law.

If they can't manage to figure out they're servicing european customers and
protect their data according to the law, then they get fined substantially.

It might be complicated, but the onus is on the company not the user, making
this Facebook's problem to resolve.

~~~
gwright
This seems a bit too dismissive to me. The notion of jurisdiction for a
transaction or contractual relationship is indeed pretty complicated.

It isn't clear to me that the burden should be on the service provider to
discern the legal domicile of a user and to be required to adjust its business
practices to accommodate the regulations of their 'home' jurisdiction.
Wouldn't that rapidly devolve into every service provider being required to
operate within the rules of some extremely complicated intersection of all
possible jurisdictions?

~~~
petilon
It is actually very simple. Ask the user. If the user says he lives in Berlin,
then apply EU laws to his data. If Facebook tries to "discern" the domicile
and incorrectly discerns the domicile then that's Facebook's problem.

~~~
jmalicki
And if the user says he lives in New York City, but lies, how does that remove
the responsibility of Facebook to protect that users' data?

It is not so simple.

~~~
s73v3r_
Actually, it's extremely simple.

Protect EVERYONE'S data. Don't care where they are.

------
jdavis703
How can this be legal? I travel to Europe frequently for work. I use (well
technically used) Facebook to stay in touch with people back home. But
shouldn't my data be covered under GDPR if I've saved data from within the
European Economic Area?

~~~
pwtweet
1) GDPR applies to EU citizens only 2) Nothing to do with EEA.

~~~
calcifer
GDPR applies to all EU residents, not just citizens.

~~~
lilott8
How is this enforced? For facebook, let's say, is all I have to do is change
my country from a non-European country to a European country, and I'm good?
Because that is a fairly easy line to cross.

~~~
dmitriid
To be a resident you have to provide proof that you actually live in a
country.

The US commonly accepts utility bills in your name. The EU most likely
requires you to have a residence permit.

Edit: that said, GDPR may still cover you while you are within the EU borders:
[https://news.ycombinator.com/item?id=16751963](https://news.ycombinator.com/item?id=16751963)

~~~
btbuilder
You can't generalize residency like that. It depends.

In the EU laws on residency are different for each member state.

You become US tax resident based on the significant presence test without
presenting any proof

You become a legal permanent resident in the US when you get a green card.

Proof of residency is only required in US states that follow REAL ID act which
California only started conforming to this year.

------
hedora
Given that the maximum fine is 4% of revenue, I wonder if they’d make more
money treating the law as a tax, and just paying the fine.

This is doubly attractive if they can have a European subsidiary that only
pays the fine on European revenue.

(I’d rather see the penalties be strengthened, to be clear.)

~~~
foolfoolz
strengthened? this is already such a large undertaking with huge risk. it’s
not 4% of EU revenue, it’s global revenue.

i think many small businesses are going to have to shut down EU operations
because of GDPR

~~~
jacquesm
Of course you could simply comply with the law. It's only made to look super
difficult by those that would like to avoid compliance. But in practice it is
actually fairly reasonable and if you were a conscientious operator you most
likely already had 90% or so of the technical measures in place long ago.

~~~
aquadrop
Maybe an unpopular opinion, but I think GDPR is not net good. It has its good
parts, but overall it doesn't really improve security (think of all the big
data breaches, GDPR wouldn't help there), but makes many things harder,
especially for small companies and hence stifles innovation. Like the infamous
"cookies law" but on larger scale. Governments pressure private companies with
this, but in the same time are making it easier and easier for themselves
(govmnts) to spy on people and infringe on people's privacy (in the name of
fight against terrorism, or "for the children" etc)

~~~
rmc
GDPR can help advocates for privacy within an organisation. Rather than argue
with nebulous harm from potential bad PR, you can say "If we don't do this, we
risk a fine of $LOTS"

~~~
bonesss
GDPR puts legal teeth with $MegaFines onto a lot of internal IT political
battles beyond security, too.

Unified project processes, mandatory architectural reviews, IT-driven
planning... if you're in a domain with lots of personal data the answer to why
can't be cowboys and ignore IT 'just this one time' goes from "because we are
trying to do IT right, dammit" to "because it's illegal" or "because the
compliance costs are too high".

------
gU9x3u8XmQNG
I can't help but feel that the decisions behind `excluding these features
globally` or `targeting these features specifically` are made for less than
savory reasons.

I would understand if these features are available, though default to their
'current'/'non GDPR compliant' setting - but this does not seem to be the
case.

Without an explanation how and why these decisions are being made, which is
not 'legally' required; I think more and more users should question Facebook,
and their motives.

------
personlurking
“We’re still nailing down details on this, but it should directionally be, in
spirit, the whole thing,” Reuters quotes Zuckerberg on the GDPR question.

I'd prefer "no comment atm" rather than this string of vague words, but then
TC wouldn't have an article.

~~~
rock_hard
Agree. The race to the first headline is a disservice to the public.

Unfortunately its hard to find any news outlet these days who refrains from
such shady tactics :(

I hence started blacklisting news sites that I notice spreading FUD...even if
that means I end up with no news.

On social media it’s actually less of a problem because I am able to engage
with the person who shared it

------
nsxwolf
We're spending a lot of money finalizing our GPDR implementation right now. I
wouldn't know how to _not_ extend it globally. That would be significant
additional work at this point.

~~~
tclancy
This was my reaction: they're either even better programmers than I thought if
they don't see bifurcating their approach to users based on temporal
geographic locations or they're dumber than rocks.

[conclusion left as an exercise for the reader]

~~~
bigmanwalter
Or they have absurd amounts of cash and manpower to throw at the situation.

~~~
tclancy
Yeah, and I'm sure there are solutions smarter than I can imagine, where all
user-generated data gets consumed through a pipe and it's just a matter of
having guards that look at the combination of user data type and user location
and filter it out. But it feels to me like there are still going to be a
million little branching problems at places beyond the pipe.

------
robbiet480
I can't imagine it would be too hard for Facebook to extend the work they've
done for GDPR to all other countries and am surprised they are choosing not to
as it only puts them in a worse position with the American public and any
other non-EU country that is privacy conscious.

~~~
grigjd3
Targeted ads make a lot more than untargetted ads.

~~~
BeeOnRope
Does the GDPR prevent the targeting of ads?

~~~
grigjd3
If someone opts out of data mining, there is nothing to target with.

~~~
robin_reala
Sure there is, you target based on the context of the surrounding copy, not
the context of the viewer’s data.

~~~
SahAssar
Then you get into the quagmire of what is personal data, right? As in, how
many clicks on external ads are considered personal data? IIRC the definition
of personal data under GDPR is "any data or collection of data that when
combined with any other data can uniquely identify you" (or at least that is
what my company is operating under). So that means a lot more that what we
traditionally see as "personal data".

~~~
robin_reala
I’m not sure I follow? By clicking on an advert you’re moving to a 3rd party
with their own potential collection and collation of personal data, and their
own opt-in requirements. It would be down to the advertiser at that point to
receive consent from the user.

------
volgo
Does anyone know how one can mark him/herself as a "European Citizen" on
Facebook so that this GDPR protection applies? Not for me personally, asking
for a friend.

~~~
Swizec
I wonder what happens if I’m a European Citizen, which I am, but live in the
US, which I do.

Does GDPR apply? Can I go around making annoying requests to apps and services
I use?

~~~
tscs37
As far as I'm aware any citizen of the EU is under the GDPR umbrella even
abroad.

~~~
fasteddie
While that may be technically true, the specifics of the law would make it
impossible to follow unless companies assumed everyone who visited their site
was an EU citizen.

For example , using google analytics in many cases in the EU will now require
opt-in consent, even for anonymous visitors. But unless a user registers and
says, "hey, I'm an EU Citizen actually" you wouldn't know ahead of time. Make
much more sense to segment for EU IPs if you are a large company that relies
on such stuff to make decisions.

~~~
mercer
> Make much more sense to segment for EU IPs if you are a large company that
> relies on such stuff to make decisions.

That could be risky for EU users abroad or behind VPN's, no?

While I understand the 'plight' of companies who rely on data sucking in some
way, this strikes me as a good reason to just assume everyone is from the EU
and figure out how to make a profit despite that.

~~~
fasteddie
My unprofessional, based on nothing guess is that no one will be prosecuted
for that kind of technicality, as there will be much bigger fish to fry of
large companies totally flaunting major pieces of the law.

~~~
SahAssar
I'd love to setup a basic, solar powered, satellite VPN on Hans Island just to
legally test this.

------
tempodox
No surprise there. But it may serve as yet another reminder that privacy
protection can only result from laws and not from the mercy of Facebook and
its ilk.

~~~
fakescience
Doubt that lawmakers will really protect users. Think the only way to lead to
substantive change would be for users to take collective action through
protests [1]. Imagine how quickly the company would take action to make real
changes to user privacy if a Facebook User strike took place...

[1] [https://medium.com/@oddbert2000/call-for-a-facebook-users-
st...](https://medium.com/@oddbert2000/call-for-a-facebook-users-strike-on-
may-1st-49733f3c7631)

~~~
kevin_thibedeau
Have crack users ever successfully mounted a strike to lower the dealer's
price?

------
mancerayder
... and suddenly legislation/coercion doesn't seem so bad if you value privacy
as a path society should veer towards. It doesn't seem the market's doing its
magic in our favor in this area.

------
Jerry2
I'm so glad I closed my FB account a while back. It has restored my sanity and
I also don't have to worry about megalomaniacs such as Zuckerberg sifting
through my data and selling it.

I think we should start a campaign and lobby our own government to pass a law
similar to GDPR.

~~~
411mrc
> I also don't have to worry about megalomaniacs such as Zuckerberg sifting
> through my data and selling it.

No, they track everyone across the web via their embedded pixels and create
"shadow profiles." I have never joined Facebook, but they still know me. I
block their tracking by blocking their various websites. I'm not sure that's
enough as I understand they still buy data. In their defense, I don't think
they sell my data, except perhaps to the NSA.

~~~
mziel
I don't see how shadow profiles can be justified under GDPR and ePrivacy. If
have identifiable information (just "some" ID will do, but also IP and various
other fingerprints) then you need to allow for deletion/takeout/opt-out.
Current strategy of implied consent ("if you're on this site you agree") is
strictly not allowed.

~~~
e12e
It's not. Well, as long as the GDPR applies. So, if we assume there are a 5
billion profiles on fb (2 billion actual users, and everyone else that use the
Web at least occasionally - I'm not sure if 5 billion total is a bit high) -
compliance with GDPR would render some 100s million high value profiles
illegal. Applying the GDPR to the remaining profiles would require an entirely
new business model for Facebook.

------
mehrdadn
> Zuckerberg said many of the tools that are part of the law, such as the
> ability of users to delete all their data, are already available for people
> on Facebook.

Uhm, do those tools actually delete the data though? Are they not required to
under GDPR?

~~~
camillomiller
Disingenuous as always. Gdpr requires a maximum grace period of 30 days to
comply with the erase request. Facebook holds your stuff for 90 days. Just as
an example. Data management is just a part of the law, by the way. Facebook is
currently not complying with all the obligations about privacy by design and
defaulting to opt-out.

~~~
rmc
But that's easy to get into compliance, just adjust a setting from 90 to 30.

~~~
mziel
You also need to make sure you implement true deletion instead of a DB flag
(and still use that stuff on the backend).

~~~
SahAssar
And that's not even getting into logs or backups, which will probably be a
problem to delete from for smaller companies (since I'm assuming that facebook
couldn't keep logs or backups for 30 days since that would be massive)

------
opmelogy
“The vast majority of what is required here are things that we’ve already had
for years across the world for everyone.”

My understanding is that GDPR would require a deep delete of user data from
Facebook's systems. Anyone have info on how that would work with shadow
profiles that Facebook creates on your behalf and without your consent? Seems
like this would fall under the domain of GDPR. (Which also makes me think of
just how misleading that quote is from Zuckerberg)

~~~
AFNobody
That is because it is misleading. Under the GDPR, they would have to hard
delete those shadow profiles. For everyone else, they would not delete that
data.

~~~
SahAssar
Not only that, but any linkable information about that shadow profile will
need to be scrubbed. So a photo of me and a friend which my friend has
uploaded to facebook will need to have my face or other identifying details
scrubbed or the photo deleted.

------
alex_young
GDPR requires protection for all EU citizens regardless of location of the
user or the data. This means that the millions of EU citizens living in the US
have to be afforded the same protection, or FB faces very punitive fines.

It will be interesting to see how this plays out. Will FB require users to
stipulate that they do not have an EU passport? What happens if we all say we
have one? How would they verify that?

~~~
shadowtree
No, it applies to EU _residents_.

A US citizen living in Hamburg is covered by GDPR. An Austrian citizen living
in the SF Bay Area is not covered by GDPR.

Don't know if this makes it easier or harder.

~~~
jmalicki
What if I am an Austrian citizen and resident traveling to the SF Bay Area?
Does it still apply? (Not clear on how jurisdiction works in these sorts of
cases)

~~~
shadowtree
I predict sign-up dialogs where you will have to unequivocally state if you're
a EU resident or not - because there is next to no algorithmic way of making
sure you're dealing with a EU resident.

------
cblock811
Even if they did I doubt Facebook has enough of a handle on their data to
avoid the fines for GDPR. They're infrastructure must be massive, and they
have a big target on them. I can't say I feel bad for them.

------
justinzollars
Europe needs the notion of a digital refugee.

------
nimos
I wonder what the minimum amount of work you have to do to get GDPR to apply
to you. Is it EU citizens only? Or would residency work?

I doubt it, but it would be interesting if Estonia's e-residency thing would
be enough.

~~~
rmc
GDPR applies to companies/orgs which are (i) based in the EU, or (ii) process
personal data of people who live in the EU (regardless of where the corp/org
is).

I think lots of EU law applies to residents, rather than citizens of an EU
member state.

[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/who-
does-data-protection-law-apply_en)

------
freyir
When I was growing up, Microsoft was the “evil empire.” The times, they are a
changin’.

------
ocdtrekkie
This is really the wrong time for Zuck to decide to not commit to literally
any privacy request someone has.

They already have to meet GDPR in Europe, it's actually _easier_ to not
maintain two separate sets of rules, so the decision to not give people
worldwide the same protections as in Europe is an intentional choice to do
more work to give people less privacy.

~~~
RyJones
Is Facebook available in China? Do they comply with Chinese law? I'm not sure
I'd want to have Chinese law applied to me here in the US.

~~~
fastball
Yeah, except GDPR is demonstrably _only_ good for the consumer.

~~~
hueving
It cannot be 'demonstrably only good' because there is no way to know all of
the services this will prevent from being viable.

~~~
taurath
I think we have a pretty good idea of the services that no personal privacy
creates.

------
eyeareque
If a user puts their location as being EU based, you get better privacy
controls? If I still used fb I would take advantage of this.

------
bwb
Ya this is America, they are not going to do something they don't have to that
affects their profitability.

~~~
cryptoz
> that [they think] affects their profitability.

FTFY. This is a gamble on Facebook's part that for now and forever, the
American users it has _do not care_ about privacy enough to seek an
alternative or stop using the service. They might be right. But it is also
possible they are wrong, in which case this move certainly would affect their
profitability (negatively). It remains to be seen how Americans will react and
feel about their privacy as time goes on - and these feelings are already
changing somewhat rapidly in some places in the US.

~~~
fakescience
agreed. Facebook users need to organize. Easy to do in theory, hard to do in
practice.

[1] [https://medium.com/@oddbert2000/call-for-a-facebook-users-
st...](https://medium.com/@oddbert2000/call-for-a-facebook-users-strike-on-
may-1st-49733f3c7631)

------
phjesusthatguy3
The truth of it is is that it will probably cost them less to engage with each
GDPR dispute individually than it would to comply with the letter of the law.
I can't say I blame them.

~~~
rmc
There's a maximum fine of up to 4% of global revenue _per incident_....

------
tialaramex
Of course just because the GDPR _sounds_ tough doesn't mean enforcement will
be tough in practice.

The UK decided that all UK companies must disclose the actual humans who
control them. This sounded like a really good rule, which would help expose
some of the worst abuses going on, although it wouldn't fix everything.

But it turned out that the shadowy figures just ignored it completely and the
government did nothing. So you have a form field saying "Persons with
significant control: You must list one or more natural human persons who
exercise significant control over this company" and a lawyer writes "Offshore
Shadowy Puppet Corporation #36656" and hits submit and it's accepted.

My reading of the law is that the government _could_ identify companies that
ignored this rule, and seize their assets, on the justification that they
haven't taken anything from any actual natural person, no natural human person
was identified as controlling these assets anyway. But even if I'm right they
do nothing, so what was announced as this big important policy change became
in fact just a PR stunt.

~~~
donohoe
Very possible.

However the various groups I've spoken too are very concerned that this
directive does have teeth and willingness to use enforcement power.

In the same way that legal firms started patent-trolling, there is concern
that GDPR is ripe for the same treatment (legal firms brining cases on behalf
of users in order to earn fees).

Right now I think there is legitimate concern, but time will tell.

~~~
jakewins
> GDPR is ripe for the same treatment

Nonsense. Patent litigation allows trolls to sue for and receive damages from
the other party. GDPR violations lead to fines fines that go to the
_government_ ; the plaintiff does not receive damages.

Law firms working GDPR cases will only make money off of their _clients_ , not
from the companies they bring suits against.

This is fundamentally different from patent law.

------
throw2016
Micro targeting fuels an insatiable greed for user data. You can target by
sexual preference, political leaning, race, religious beliefs, moods, socio-
economic status, life events and a never ending list of sub groups.

This requires vast amounts of data to make inferences and create models. So
behemoths like Facebook and Google are motivated to collect as much data about
users as possible so they can put them in various buckets.

The only way to address this is to clamp down on micro targeting by
advertisers. And stop platforms like Google and Facebook from offering micro
targeting to advertisers. Data collation from multiple sources by marketing
folks and their agencies should similarly not be allowed. Only textual context
and location is ok.

This kills invasive surveillance at source, still lets online businesses make
money, still lets advertisers advertise by location and text context and best
of all protects civil society and democracy from the toxic effects of a
surveillance culture.

------
Mononokay
> There’s no way to sugarcoat this message: Facebook’s founder Mark Zuckerberg
> believes North America users of his platform deserve a lower data protection
> standard than people everywhere else in the world.

Orrrrrrrrrrrrrrrrrrrr he thinks no one deserves data protection/privacy, but
is forced to give them it as demanded by law.

------
doktrin
I don't know about anyone else, but as an EU skeptical European I've never
been more happy about GDPR. The tech hegemons clearly don't deserve the public
trust and good will they've enjoyed for the last decade.

------
gabept
The timing is not the best, and the actual process would be treacherous
(completely limiting GDPR only inside the EU).

This smells like a simple PR move after the big drop on FB stock following the
Cambridge Analytica disaster.

------
jumelles
Oh man, they really don't get it...

------
PeOe
Although GDPR is a European law, people all over the world want to have more
data protection. As a German Startup, we have to offer a good data protection
already and the GDPR is a great opportunity to serve our customers better than
before. As a social network like Facebook, you need the support of your users
to hold them. So why is Facebook making one mistake after another? They are
not only loose users, they also lose their image.

~~~
rmc
GDPR applies to companies in the EU, so any EU company will have to apply it
to all people/users.

~~~
PeOe
Yes, but Facebook is an American company. Because they have users all over the
world (in EU too) they should serve all people with the same policies. It
might be better for their image and they will get happy users too.

------
justinzollars
Europe needs the notion of a digital refugee.

------
ggregoire
Does GDPR apply for my new data if I created my account in Europe but now live
abroad?

> The European law, called the General Data Protection Regulation (GDPR), is
> the biggest overhaul of online privacy since the birth of the internet,
> giving Europeans the right to know what data is stored on them and the right
> to have it deleted.

Are we talking about soft or hard delete?

~~~
BeeOnRope
It applies to the _person_ and doesn't depend on where you were when you
created the account. If you are an EU citizen (possibly living abroad) or a
current EU resident, you get the protections.

If you created the account in the EU but are now living outside and are not an
EU citizen, it would not apply to you (until, perhaps, you returned to being
an EU resident).

~~~
24gttghh
How about some facts, or well, FAQ's[0]:

>Who does the GDPR affect? The GDPR not only applies to organisations located
within the EU but it will also apply to organisations located outside of the
EU if they offer goods or services to, or monitor the behaviour of, EU data
subjects. It applies to all companies processing and holding _the personal
data of data subjects residing in the European Union_ , regardless of the
company’s location.

Emphasis, mine.

[0][https://www.eugdpr.org/gdpr-faqs.html](https://www.eugdpr.org/gdpr-
faqs.html)

~~~
BeeOnRope
Yup, you are right. EU citizens don't get the benefits of the GDPR if they are
outside the union.

So all of this "will they make you upload your passport?" stuff seems to be
mostly nonsense since it apparently has nothing to do with citizenship.

~~~
24gttghh
Well it seems like being covered as a "natural person" would mean you need to
be a resident _and_ a citizen of a given EU member state?

~~~
BeeOnRope
Well IANAL but the couple of summaries I read on this specific issue (who is
covered) seemed to take the position that EU-resident non-citizens would be
covered, including perhaps even just travelers and other people passing
through.

I admit to not having looked into it in depth, however.

------
wonderland83
Happy I’ve left FB and other online social giants for almost 10 years ago. It
was obvious back then where this was heading. Young positive entrepreneurs
should listen to there senior peers, now and then, or history will repeat
itself. This is also a result of ageism, I think.

~~~
e12e
Arguably the GDPR is more important to user who fb only have a shadow profile
on, than those that use the platform. At least as a user you might get some
utility from Facebook - otherwise you are simply a victim of spying.

------
moomin
“No plans” is a pretty misleading term for “Large body of work to bifurcate
our handling of privacy”

------
TheCapeGreek
In relation to another comment in the thread about who exactly GDPR covers
(seemingly anyone in Europe right now), what about EU citizens not currently
in the EU? I made my FB account when I was a teen in Greece, but now reside
elsewhere.

~~~
rmc
It also applies to companies which are based in the EU. AFAIK everyone outside
the USA & Canada has a contract with Facebook Ireland Ltd. If your account is
with them, then they have to follow GDPR

------
hahamrfunnyguy
Of course not. Facebook's entire business model is to be as creepy as possible
and harvest as much personal information as they can.

------
wemdyjreichert
Following sensible privacy guidelines is good. That said, following GDPR for
the whole world is not. The EU does not legislate for the world.

~~~
guitarbill
So the GDPR != sensible privacy guidelines? Please do elaborate what that
would look like! And what makes following the GDPR for the whole world bad?

Whatever your stance on the EU and it's laws, at least they're trying to
address exactly that question.

~~~
aquadrop
Parent comment says that EU legislating for the whole world is bad. For
example, UK (still EU yet) has antiporn laws, next they decide that all online
porn should be forbidden, in the whole world. And so on. Is it good?

~~~
guitarbill
No, they clearly said "following GDPR for the whole world is not [good]." And
so, why?

When a country passes new safety standards for building cars, I'm sure car
makers don't like that, but they still do it. And for models sold world-wide,
they're often build the same (except local variances like steering wheel side,
etc), so if you live in a country with less strict safety standards, you
effectively still get the higher standard. GDPR should be implemented in most
places. Why not extend that treatment to everybody? Less edge cases. It has
nothing to do with the EU legislating "the world", just engineering pragmatism
for a global world, and being user friendly.

------
forgotmypw
Facebook is an experiment in how accurate a simulation of privacy has to be
before people accept it as the real thing.

------
theweirdone
And you know, who is using GDPR as the gold standard and extending it
globally? Uber. Yes, you read that correct.

~~~
SahAssar
It's basically the default for most companies. Let's not pretend that uber
cares about your privacy or data.

------
ct520
Welp looks like my profile location is abruptly changing to somewhere in the
European privacy law jurisdiction then.

------
camillomiller
Just saying, Apple will. (Source: Apple)

------
swanlyk
It seems that a "European" facebook will appear that strictly adheres to EU
laws.

------
gigatexal
Imagine if Microsoft had bought Facebook back in the day. Things would be
different.

------
thelittleone
How do they validate whether the person requesting “right to erase” is an EU
citizen?

------
dec0dedab0de
if you connect to facebook from a vpn in europe would you be covered?

~~~
Fej
If I'm not mistaken, you have to be a citizen of the European Union.

~~~
dec0dedab0de
If you do have to be a citizen, I wonder what happens if someone moves to the
EU, and becomes a citizen. Does it only apply to data since they became a
citizen, or retroactively to all data?

Also, how could facebook verify that you're a citizen or not, couldn't you
just say you were always a citizen, just on a greencard in the US for a few
years?

Would it be illegal to show facebook a fake id?

Just idle curiosity.

~~~
dannyw
Data doesn’t have rights; you as a human (citizen or resident of EU) have
rights on your data.

So it’s retroactive.

------
womperGompers
Fortunately, use of Facebook isn't required by law.

~~~
s73v3r_
That doesn't matter; there's still no excuse for them to not protect the data
of those users who choose to use it.

------
juststeve
just awful

------
feelin_googley
"As it had done consistently in its history, the firm, when faced with
financial pressure, moved ever further in the direction of monetizing users`
personal data. In this case, it finally went after the like button.

A little over a year after the IPO, on June 12th, 2014, Facebook quietly
announced a change to its terms of service. "Starting soon in the U.S., we
will also include information from some of the websites and apps you use," the
company wrote. "This is a type of interest-based advertising, and _many
companies already do this_."

...

In perhaps the creepiest example, Facebook applied for (and received, last
year) a patent for a tool called Techniques, for emotion detection and content
delivery. It would use the camera in your phone to take pictures of you as you
scroll through content. Facebook would then use facial analysis to measure how
much you did or did not like the content in question, so as to determine what
kind of stuff to send your way. Ideas like this are what make Facebook, at
times, feel like a giant blood-engorged tick hanging off your frontal lobe.""

Source:

[https://www.rollingstone.com/politics/features/taibbi-
facebo...](https://www.rollingstone.com/politics/features/taibbi-facebook-can-
we-be-saved-social-media-giant-w518655)

~~~
nerdponx
Who is sociopathic enough to follow through on an idea like this?

~~~
vertex-four
People need to live - not many are in a position to leave their job if they
don’t like what they’re doing. Whether they morally agree with it is
irrelevant - they have debts, a lifestyle, a family, and so on and so forth.
This goes from the programmer up to the CEO level, and the shareholders
(largely regular people through an index fund) aren’t close enough to the
company/don’t feel enough ownership over it to demand it does something else.
The other actors are those playing on the financial markets more directly, and
again, they have a job of making as much money as possible, consequences be
damned, or they lose their job/home/ability to support themselves and their
family/etc.

This is capitalism at its finest - putting people into positions where they’re
unable to express their moral preferences. And you can’t change this as an
individual or minority group, as everybody grows up in a system that heavily
encourages (and in many cases forces) that people put themselves into that
position - as a minority actor, you can’t prevent the system from working.

Nobody would build these systems for free.

~~~
h0p3
Living like a FB Dev is not the same as merely living (well or otherwise). You
sound like you are trying to rationalize (not just explaining, but justifying)
their behavior.

I would agree those in poverty are not in a position to leave their job (and
even then, I'm willing to consider options). Devs in Silicon Valley do have a
choice though. You are correct to identify capitalism as a fundamental
problem, but you've conveniently minimized their privilege too far in this
case. They don't get to say "capitalism made me do it." They really did and
still do have an opportunity to be moral, costly as it may be to their
standard of living. They are part of the problem because _this just is their
expression of their moral preferences_.

They might not be able to prevent evil, but that doesn't mean they should
actively participate in it. Just because you can't stop the Nazis doesn't give
you license to be one.

I hold programmers responsible for what they program, especially anyone living
above the poverty line. There is no justification for their behavior. It's
plain evil.

\------------------------------

[https://philosopher.life/](https://philosopher.life/)

------
feelin_googley
"... _there are no privacy laws in the United States that directly prohibit
political campaigns from buying, selling, or manipulating voter data and
personally identifiable information_.

 _Without any privacy protections for individuals in the United States_ ,
companies such as Cambridge Analytica are able to exploit trillions of bits of
personal information about individual voters.

And while Facebook has offered a plethora of _apologies_ and suspended the
company from its platform, there's not much you can do about it _after the
fact_.

...

Yet, _Facebook users ultimately have little recourse against Facebook itself_.

...

Again, _federal and state privacy laws offer very little protection_."

Source:

Joel Winston (@joelwinston) is a Pittsburgh-based attorney who specializes in
privacy and cybersecurity law. He formerly served as a Deputy Attorney General
for the State of New Jersey and currently provides global legal and regulatory
counsel to _technology companies_. [cf. technology users]

[https://www.nbcnews.com/think/opinion/facebook-data-
breach-s...](https://www.nbcnews.com/think/opinion/facebook-data-breach-
scandal-our-own-making-legally-there-s-ncna862211)

------
downandout
Having read the GDPR requirements, I don’t think that Facebook, or any other
social network, can fully comply and still be a social network. Many features
will be impossible to offer to people that are subject to these requirements,
such that the GDPR version of Facebook wouldn’t really even be the same
service anymore. If I were starting a social network today, I’d simply block
EU IPs from accessing it.

~~~
seanwilson
> Many features will be impossible offer to people that are subject to these
> requirements

Features like what? They couldn't even be offered if the user was to opt-in?

~~~
downandout
The problem is that the law raises more questions than it answers. But
arguably, features like being _having a profile in the first place_ could be
affected. The law demands that only the minimal amount of personal information
required for a specific purpose be collected, and then that it must be deleted
as soon as that purpose has been completed. They cannot request more
information than perhaps the person’s name and email address, lest they run
afoul of this law. So if someone posts something in their timeline, how long
is it allowed to stay? Until all friends have seen it, or longer? Was it a
violation of the law to even have a space for the user to enter the
information into the timeline, since it wasn’t “necessary”?

So the EU has created a law that Facebook and many other online services will
arguably at all times be in violation of. This will create an environment
where the EU can use the threat of enforcing the law to effectively impose its
will on these massive businesses that cannot comply and still run their
business. This was sold to the public as a privacy law, but it’s really just a
huge power play.

~~~
bkanber
This comment is really inaccurate. Under GDPR you must have a legal basis for
all data processing activities. In the case of maintaining a social profile,
the legal basis is "explicit consent" pursuant to "serving the interests of
the data subject". Therefore the posts on the wall can stay up as long as the
user continues to consent to their staying up.

What cannot be kept indefinitely is the data that Facebook has not received
explicit consent for -- the profiling in the background, scraping information
from other sites, and so on.

~~~
downandout
HN seems united in its love of this legislation (someone even called me a
"f*cking ignorant clown" in a flagged comment below), so I'll leave this
thread with this. GDPR wouldn't be the first time that well-intentioned but
broadly written laws have created the potential for unforeseen and very nasty
results. One recent example is how the passage of FOSTA - a law designed to
deter human trafficking - resulted in the instant shutdown of one of the
largest and oldest personals sites on the Internet [1].

Broadly written legislation, whether intended by its authors or not, always
winds up being used as a tool to gain leverage where the government didn't
have it before. So yes, there will be some good things that result from this
legislation, just as some good things will likely result from FOSTA. But
because it is so broadly written and many things in it will be up to the
interpretation of individual courts when actions are brought under it, mark my
words: it will be used in ways that nobody defending it in this thread has
thought about, to impose fines and other sanctions on companies (perhaps even
some of the startups of HN users, should some government person in the EU take
issue with their business) for reasons that you may very well not agree with.

[1]
[https://www.craigslist.org/about/FOSTA](https://www.craigslist.org/about/FOSTA)

~~~
randomsearch
I believe previous legislation regarding cookies was a mess like you said, and
a big learning process for the EU.

I’ve worked with people who are experts on the new regulations. They don’t
seem to be at all confused about what it means or implies. The only unknowns
they’re talking about is the practicalities of someone like Facebook
conforming eg requesting many different permissions. But that’s because
businesses like Facebook are doing unethical stuff, ie they’ve been doing
things you really won’t want to explicitly give them permission to do.

