Facebook on collision course with new EU privacy laws
| Dublin, Ireland
With its initial public offering this week, Facebook is roaring ahead. However, new European Union privacy regulations are taking聽aim at Internet companies' ability to profit through control of personal information 鈥 the key to their tremendous online advertising聽profits.聽
Now in its eighth year, social networking website Facebook is set to become the hottest ticker on Wall Street 鈥 and it's not hard to聽see why. With 800 million users worldwide and $3.71 billion in sales in 2011, the company's IPO is expected to raise between $50聽billion and $100 billion on the open market.
But with a business model built on leveraging user data to sell targeted advertising, Facebook, Google, and other Internet聽companies are on a collision course with EU demands that its citizens' right to privacy be respected. The EU regulations pit two Internet philosophies against each other: 1) that more regulation is needed in order to protect unwitting users, 2) that more聽regulation will encourage overactive censorship.聽
Giving users more control
On Jan. 25, EU Justice Commissioner Viviane Reding unveiled a wide-ranging data protection program that aims to regulate all聽companies doing business online in the EU, not just those based there. The data protection laws, which will take about a year to be enacted, will be uniform across all 27 member states.聽
"Companies must understand that if they want access to 500 million consumers in the EU, then they have to comply. This is not an聽option," says Matthew Newman, spokesperson for the justice commissioner.聽
The proposal prescribes fines of up to 鈧1 million ($1.3 million) or 2 percent of annual revenue, includes a "right to be forgotten"聽that allows users to permanently delete their data, and allows users easier access to their data and easier migration of it to other services.聽Additionally, companies wishing to do business in the EU will聽need a representative based there.
"The principle behind [the right to be forgotten] is quite simple: it's your data, you're in control of it and you get to decided what is聽done with it," says Mr. Newman.聽
Jeffrey Rosen, legal commentator and law professor at George Washington University, says he supports tougher privacy聽regulations, but called the EU's "right to be forgotten" a "legal minefield."聽
Mr. Rosen says the regulations will create a dramatic clash between the right to freedom of expression and the right to privacy,聽arguing that under the proposal, websites like Facebook will be obliged to not only to delete on request material that users upload,聽such as photos, but any shared copies of photos 鈥 and potentially even material uploaded by third parties that another user objects聽to.聽
The new rules will bring Europe and the United States' different privacy norms face to face.
"There are hugely different cultures. Europe tends to trust the state and not private companies and in America it's the reverse.聽There's also a difference of tradition between dignity and liberty," Rosen says. "There is potential for radical disruption of the way聽users experience the Internet in the EU. This would transform Facebook and Google into censors-in-chief."
The question of privacy vs. openness hits at the heart of a major commercial issue in the Web 2.0 world, where personal聽data is traded for free access to online services.聽
As part of the company's IPO announcement, Facebook founder and CEO Mark Zuckerberg sent a letter to shareholders,聽saying, "Facebook was not originally created to be a company. It was built to accomplish a social mission 鈥 to make the world more聽open and connected."
The Wild West of online data
Users of online services need to be more aware of what data is collected and how it is used, says Kieron O'Hara, a philosopher聽working at the University of Southampton's school of computer science in Britain.
"We are giving away too much [private information] partly because of a lack of awareness of who owns what data," he says.聽"Facebook was able to raise large amounts of money precisely because it has a business model waiting to be put into operation:聽data on hundreds of millions of users."
Joe McNamee of the European Digital Rights (EDRI) non-governmental organization, which supports the new regulation, says that聽many people still do not understand the importance of privacy online, or quite how much data is collected and stored or by whom.
"Back in the mists of time when people first started Internet companies and phone companies, nobody thought data was going to be聽stored for years under state mandates. People would have said you were nuts if you said so, or that airline data would be stored聽and shared, but now we have the EU-US PNR [passenger name records] agreement which does just that."
He believes the new regulation will simplify doing business across the EU by unifying data protection laws 鈥 and building users'聽trust, which could actually benefit companies in the long run.
"There's a lot Facebook is worrying about, but I don't think there's a lot [for it] to worry about," he says. "If people feel, due to the Wild聽West nature of online data, they should avoid services or block [advertisements] online, then that's not in the companies' interest."
A challenge in Ireland
Facebook is already under scrutiny under existing EU legislation. Austrian law student Max Schrems complained to the Irish聽government's Data Protection Commissioner (Facebook's EU operations are based in Dublin) about the retention of information about him that Facebook claimed had been deleted.
The commissioner issued the results of its audit on Dec. 21, 2011, saying Facebook was in general compliance with data protection聽laws and that targeting advertisements based on information they provided on Facebook was "legitimate," but recommending聽changes to Facebook's user policy to make users aware "through transparent notices" that their personal data was being used to聽target advertising.聽
The audit also criticized Facebook's sign-up process, saying "at the point of signup a person could not reasonably be expected to聽fully understand or comprehend what it means in practice to have consented to the use of their data in this way."
Facebook has agreed to make changes, which will be assessed by the Data Protection Commissioner in July 2012.
Europe V. Facebook, the organization founded by Mr. Schrems, rejected the results of the Irish audit as insufficient and plans to聽appeal to both Irish courts and EU authorities.
Europe V. Facebook is not alone. The Independent Center for Privacy in the German state of Schleswig-Holstein criticized the Irish聽report, saying it relied on "often unverified" assertions by Facebook.
One central allegation was that Facebook was creating "shadow profiles" of nonusers based on data collected from other websites聽that include Facebook features such as "like" buttons. The audit report confirmed information was collected, but said the data was not聽used for anything and will now be actively deleted.
"The report is a peculiar little beast," says TJ McIntyre, law lecturer at University College Dublin and founder of Digital Rights聽Ireland. "It's not really an investigation of the complaints. Max Schrems' complaints are still awaiting a formal response."
Ireland is a popular choice for multinational companies looking for a place to base their European operations, as Facebook did. Gary Davis,聽Ireland's deputy Data Protection Commissioner, says that for the country to continue attracting foreign investment, it needs to work with Facebook and similar companies to help them meet regulations, not punish them and deter their investment 鈥 and that it needs to balance that with enough to be seen as credible by both the companies and their users.
"If we're going to continue to attract multinational companies we have to be able to credibly regulate them," he says.
Facebook did not respond to inquiries for this story.聽
