Facebook to roll out global privacy settings hub — thanks to GDPR

Facebook COO Sheryl Sandberg has said major privacy changes are coming to the platform later this year, as it prepares to comply with the European Union’s incoming data protection regulation.

Speaking at a Facebook event in Brussels yesterday, she said the company will be “rolling out a new privacy center globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data” (via Reuters).

Last year the company told us it had assembled “the largest cross functional team” in the history of its family of companies to support General Data Protection Regulation (aka: GDPR) compliance.

From May 25 this year, the updated privacy framework will apply across the 28 Member State bloc — and any multinationals processing European citizens’ personal data will need to ensure they are compliant. Not least because the regulation includes beefed up liabilities for companies that fail to meet its standards. Under GDPR, penalties can scale as large as 4% of a company’s global turnover.

In Facebook’s case, based on its 2016 full year revenue, the new rules mean it could be facing fines that exceed a billion dollars — giving the company a rather more sizable incentive to ensure it meets the EU’s privacy standards and isn’t found to be playing fast and loose with users’ data.

Sandberg said the incoming changes will give the company “a very good foundation to meet all the requirements of the GDPR and to spur us on to continue investing in products and in educational tools to protect privacy”.

“Our apps have long been focused on giving people transparency and control,” she also remarked — a claim that any long-time Facebook user might laugh at rather long and hard.

Long history of hostility to privacy

Facebook has certainly made a lot of changes to privacy and control over the years, though its focus has rarely seemed aimed at “giving people transparency and control”.

Instead, many of its shifts and tweaks have been positioned to give the company more ways to exploit user data while simultaneously nudging people to give up more privacy (and thus hand it more options for exploiting their data).

Here, for example, is an EFF assessment of a 2009 Facebook privacy change — ostensibly, Facebook claimed at the time, to give users “greater control over their information”:

These new “privacy” changes are clearly intended to push Facebook users to publicly share even more information than before. Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.

Among the changes Facebook made back then was to “recommend” preselected defaults to users that flipped their settings to share the content they post to Facebook with everyone on the Internet. (This recommendation was also pushed at users who had previously specified they wanted to limit any sharing to only their “Networks and Friends”.)

Clearly that was not a pro-privacy change. As we warned at the time it could (and did) lead to “a massive privacy fiasco” — given it encouraged Facebookers to inadvertently share more than they meant to.

A mere six months later — facing a major backlash and scrutiny from the FTC — Facebook was forced to rethink, and it put out what it claimed was a set of “drastically simplified” privacy controls.

Though it still took the company until May 2014 to change the default visibility of users’ statuses and photos to ‘friends’ — i.e. rather than the awful ‘public’ default.

Following the 2009 privacy debacle, a subsequent 2011 FTC settlement barred Facebook from making any deceptive privacy claims. The company also settled with the Irish DPA at the end of the same year — after privacy complaints had sparked an audit in Europe.

So in 2012, when Facebook decided to update its privacy policy — to give itself greater control over users’ data — it was forced to email all its users about the changes, as a consequence of those earlier regulatory settlements.

But it took direct action from EU privacy campaigner Max Schrems to force Facebook to put the proposed changes up for a worldwide vote — by mobilizing opinion online and triggering a long standing Facebook policy governance clause (which the company couldn’t exactly ignore, even as the structure of the clause essentially made it impossible for a user vote to block the changes).

At the time Schrems was also campaigning for Facebook to implement an ‘Opt-In’ instead of an ‘Opt-Out’ system for all data use and features; and also for limits on use of users’ data for ads. So, in other words, for exactly the sorts of changes GDPR is likely to bring in — with its requirement, for instance, that data controllers obtain meaningful consent from users to process their personal data (or else find another legal basis for handling their data).

What’s crystal clear is that, time and again, it’s taken regulatory and/or privacy campaigner pressure to push Facebook away from user-hostile data practices.

And that prior to regulatory crackdown the company’s intent was to reduce users’ privacy by pushing them to make more of their data public.

But even since then the company has continued to act in a privacy hostile way.

Another major low in Facebook’s privacy record came in 2016, when its subsidiary company, messaging giant WhatsApp, announced a privacy U-turn — saying it would begin sharing user data with Facebook for ad-targeting purposes, including users’ phone numbers and their last seen status on the app.

This hugely controversial anti-privacy move quickly attracted the ire of European privacy regulators — forcing Facebook to partially suspend data-sharing in the region. (The company remains under scrutiny in the EU over other types of WhatsApp-Facebook data-sharing which it has not paused.)

Facebook was eventually fined $122M by the European Commission, in May last year, for providing “incorrect or misleading” information to the regulators that had assessed its 2014 acquisition of WhatsApp (not a privacy fine, btw, a penalty purely for process failing).

At the time Facebook had claimed it could not automatically match user accounts between the two platforms — before going on to do just that two years later.

The company also only gave WhatsApp users a time-limited, partial opt-out for the data-sharing. Again, an approach that just wouldn’t wash under GDPR.

EU citizens who consent to their personal data being processed will also have a suite of associated rights — such as being able to ask for the data to be deleted, and the ability to withdraw their consent at any time. (Read our GDPR primer for a full overview of the changes fast incoming.)

While the full impact of the regulation will take time to shake out — the exact shape and tone of Facebook’s new global privacy settings center remains to be seen, for example — European Union lawmakers are already rightly celebrating a long overdue shift in the balance of power between platforms and consumers.