skip to main content

Straight Talk Consumer and Entertainment Services

Ovum view

Despite being in the middle of dealing with the fallout of the Cambridge Analytica revelations, Facebook has made some significant changes to its privacy policy. First, it has removed 1.5 billion users from the jurisdiction of the European Union's General Data Protection Regulation (GDPR) regulation, and, second, it has begun asking users in the EU and Canada to opt in to facial recognition technology.

The shifting of US, Canadian, and non-EU users to the responsibility of Facebook's California offices rather than its international HQ in Ireland means that those users will be subject to US privacy laws rather than the stricter European laws, which after May 25 will be stricter still as GDPR comes into force. This move comes even though CEO Mark Zuckerberg indicated in April 2018 that privacy protections would "directionally be in the spirit" of GDPR, even if the details weren't quite worked out. He also testified to the US Congress in April 2018 that GDPR controls would apply to all users, but it is likely that he was referring to the tools enabling the downloading and deleting of personal data as required by GDPR. Facebook's decision to move non-EU users out from under the scope of the GDPR indicates that it does not intend to apply GDPR protections outside of Europe. Data regulators in other markets are likely to be watching with interest to see if user rights in their territories are removed, contrary to the laws in that country.

Meanwhile, Facebook first considered implementing facial recognition in the EU in 2012, but concerns from data regulators saw the service rollout halted. But as part of reconfirming data permissions ahead of GDPR, Facebook is now asking users in the EU (and in Canada) to opt in to facial recognition technology once more. The technology involves creating a template of an individual's face using their profile picture and any other pictures they have been tagged in. Facebook can then use this template to prompt users to tag photos with the names of the people in that picture, in order to automate and improve the tagging process. Facebook also pointed out that facial recognition can be used to detect when people attempt to use someone else's image as their profile picture and so protect users from impostors.

However, the Irish Data Protection Regulator is already suggesting that there may be problems with the way Facebook is performing facial recognition, and in particular that they might have to scan the images of people who have not consented to the facial recognition service in order to detect people who have opted in to facial recognition.

Facebook can ill afford more negative press around privacy, since it would probably both push users away from its service and give advertisers pause for thought about using the platform. But these latest moves from Facebook risk raising the ire of data protection regulators around the world. The Irish Data Protection Regulator in particular has already indicated that the facial recognition feature may not be GDPR compliant. Not much prompts Facebook into making changes, but the threat of a fine of up to 4% of global turnover for breaking GDPR – which would have amounted to a whopping $1.6bn in 2017 and could be even bigger in 2018 – might well focus minds at Menlo Park.

Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.