Late yesterday Reuters reported on a change incoming to Facebook’s T&Cs that it said will be pushed out next month — meaning all non-EU international are switched from having their data processed by Facebook Ireland to Facebook USA.
With this shift, Facebook will ensure that the privacy protections afforded by the EU’s incoming General Data Protection Regulation (GDPR) — which applies from May 25 — will not cover the ~1.5BN+ international Facebook users who aren’t EU citizens (but current have their data processed in the EU, by Facebook Ireland).
The U.S. does not have a comparable data protection framework to GDPR. While the incoming EU framework substantially strengthens penalties for data protection violations, making the move a pretty logical one for Facebook’s lawyers thinking about how it can shrink its GDPR liabilities.
Reuters says Facebook confirmed the change to it, though the company played down the significance — repeating its claim that it will be making the same privacy “controls and settings” available everywhere. (Though, as has been previously pointed out, this does not mean the same GDPR principles will be applied by Facebook everywhere.)
At the time of writing Facebook had not responded to a request for comment on the change.
Critics have couched the T&Cs shift as regressive — arguing it’s a reduction in the level of privacy protection that would otherwise have applied for international users, thanks to GDPR. Although whether these EU privacy rights would really have been enforceable for non-Europeans is questionable.
According to Reuters the T&Cs shift will affect more than 70 per cent of Facebook’s 2BN+ users. As of December, Facebook had 239M users in the US and Canada; 370M in Europe; and 1.52BN users elsewhere.
It also reports that Microsoft -owned LinkedIn is one of several other multinational companies planning to make the same data processing shift for international users — with LinkedIn’s new terms set to take effect on May 8, moving non-Europeans to contracts with the U.S.-based LinkedIn Corp.
In a statement to Reuters about the change LinkedIn also played it down, saying: “We’ve simply streamlined the contract location to ensure all members understand the LinkedIn entity responsible for their personal data.”
One interesting question is whether these sorts of data processing shifts could encourage regulators in international regions outside the EU to push for a similarly extraterritorial scope for their data protection laws — or face their citizens’ data falling between the jurisdiction cracks via processing arrangements designed to shrink companies’ legal liabilities.
Another interesting question is how Facebook (or any other multinationals making the same shift) can be entirely sure it’s not risking violating any of its EU users’ fundamental rights if it accidentally misclassifies an individual as an non-EU international users — and processes their data via Facebook USA.
Keeping data processing processes properly segmented can be difficult. As can definitively identifying a user’s legal jurisdiction based on their location (if that’s even available). So while Facebook’s T&C change here looks intended to shrink its legal liabilities under GDPR, it’s possible the change will open up another front for individuals to pursue strategic litigation in the coming months.