Is This European Law Behind Facebook's Privacy Shift?

Facebook announced last week that it will no longer offer its advertisers an extra dollop of consumers’ personal data from massive third-party credit aggregators Experian and Acxiom. For most users of the social media site, the fact that their baby pictures, current events commentary and updates on Mom’s surgery have been flowing into a data stream that also included their finances, household income, and myriad sundry details like whether they have a funeral plan, probably came as a bit of a surprise.

It shouldn't. In the digital age, Americans going about their lives leave crumbs of personal information behind, from their preference in toilet paper to what they buy for lunch to when and where they commute, all day, every day. That adds up to a staggering amount of data, all being hoovered up, analyzed and sold. According to a 2014 Federal Trade Commission Report on the business of Big Data, data brokers hold and store thousands of data points on every U.S. household and commercial transaction. The FTC report covered nine data brokers and reported that one data broker’s database had information on 1.4 billion consumer transactions and more than 700 billion aggregated data elements; another data broker’s database covered one trillion dollars in consumer transactions; and yet another data broker added three billion new records each month to its databases. One of the nine data brokers held 3000 data segments for nearly every U.S. consumer.

Meanwhile, privacy activists in Europe have been fighting against Big Data, filing lawsuits to restrict companies from amassing and sharing personal data, and now, about to unleash a game-changing set of regulations on Silicon Valley called the General Data Protection Regulation. This new European law basically gives consumers ownership control over their personal data, including the right to decide whether to share it or not, and to delete it. It may change the way social media companies and other data collectors operate, not just in Europe but around the world.

For the most part, Americans have been pretty nonchalant about all this. After Edward Snowden’s revelations about U.S. government digital surveillance programs, activists like the Electronic Frontier Foundation (EFF) have been fighting national security data collection. The specter of Big Brother has motivated some political pushback, and the government stopped its bulk phone surveillance program, under pressure.

American consumers seem to value convenience over privacy, and there has been little political will to interfere with Big Data’s role in commerce. A recent Reuters/Ipsos poll - conducted after the recent revelations about misuse of personal data from 50 million Facebook users - also found the vast majority of Americans have not taken individual steps to protect their information.

Danny O’Brien, International Director of the EFF,  said he believes Americans and Europeans are both concerned that existing law is not being applied, but the approaches to the problem are different based on the available legal framework. Americans tend to rely on the Constitution - the 4th Amendment protection against search and seizure - which is applicable to government access to data. Meanwhile, Europeans have “strong, basic laws about data protection” in their European Charter, which was drafted in 2000, well into the digital age. But so far, neither framework has significantly restricted Big Data. “ When we research this, we find that people on both sides of the Atlantic have a growing insecurity about how their data is used, but often feel hopeless to change it. They all want more control over their privacy,” he said.

"Privacy means something different for everyone,” Dipayan Ghosh, a former privacy and policy advisor to Facebook and currently a fellow at Harvard’s Kennedy School of Government, told Newsweek. “While some people choose to abstain from sharing any information about themselves over the internet, others use every web service available, from Facebook to Gmail to Uber. On Capitol Hill, that diversity of opinion translates to a lack of any political will to move on privacy issues.”

He added that while the U.S. protects privacy primarily through what he termed light-touch regulation and slaps on the hand, European policymakers “regard privacy as a fundamental human right and protect it as such.”

The European Union law, GDPR, comes into force on May 25. It will govern the storage and processing of data and grants consumers ownership and control of personal data, the right to be informed, the right of access, the right to correct errors, the right to erase data, and the right to restrict processing, and to take their data elsewhere.

Some observers believe the timing of Facebook’s announcement - and even the timing of the growing scandal around its data breaches - has as much to do with the GDPR as it does with the scandal over how Facebook’s trove was used by the Trump campaign and Cambridge Analytica.

Nobody knows exactly how the new law will be applied. Ghosh said the big companies -  Facebook, Google, Experian and Acxiom - are mostly about 90 percent compliant already, “but they’re rough around the edges,” and might have to change the way they offer services in Europe. “The devil will be in the details of enforcement,” Ghosh said. “It might be that regulators will have a tough time enforcing GDPR to the letter against U.S. tech companies because the industry has considerable power and popularity in Europe.”

Theoretically, regulators could levy massive fines against Facebook, based on the EU’s new framework that individuals - not platforms, credit agencies or brokers - own their data. London-based cyber expert Evgeny Chereshnev, formerly an executive with cyber-security giant Kaspersky Lab and now developing a personal data control system called BiolinkTech, estimated that based on Facebook’s reported $40 billion annual revenue, the value of the data of individual users in the United States and Western European countries (whose value to advertisers is higher than in poor nations) is probably $200 each, annually.  By that math, if the EU law is applied stringently, Facebook could back-owe hundreds of millions of Facebook users monetary compensation adding up to trillions.

“The GDPR is unprecedented,” Chereshnev said. “It states that starting on the 25th of May everybody has a right to own all the data that exists and the right to delete it. If a company doesn’t comply, the law allows fines up to 10 and 20 million a year, up to 4 percent of global turnover. With Cambridge and Facebook, the number could be in the trillions. These are unimaginable fines. Nobody would have thought this would be true a month ago.”

Meanwhile, American privacy advocates have been howling into the wind for years. The Electronic Privacy Information Center (EPIC) and other privacy rights organizations filed a complaint with the Federal Trade Commission to look into Facebook as far back as 2011 for its data sharing practices. Facebook settled a resulting FTC charge that “it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” an FTC statement said at the time. “The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established.”

After revelations about the Cambridge data breach, involving as many as 50 million Facebook users, EPIC and other consumer groups last week urged the FTC to reopen its investigation into Facebook for violating the FTC's 2011 Consent Order. Congressional investigations are also continuing.

Chereshnev believes the GDPR could be a catalyst for large-scale change. “If you look at the history of the internet,  back in the digital Ice Age, IBM used to rule the world, Yahoo was the first search engine, and nobody remembers that. Nobody remembers Myspace,” he said. “There is always potential for absolutely, insanely, game-changing events. The landscape can change in a year. And the internet can change one more time. The genie can be put back into the bottle but will require tremendous efforts.”

But it won’t be a quick shift. Last year Trump signed into law a Congressional act repealing privacy restrictions on telecom giants - internet providers with access to internet usage inside households. Broadband providers like AT&T, Verizon, Sprint and others now have the the right to sell data. Furthermore, tech companies have been opposed to restrictions, said Marc Rotenberg, of EPIC: "Tech firms have blocked updates to U.S. privacy laws. Now it is time for them to step aside.”

Sen Mark R. Warner, D-Va., vice chair of the Senate Select Committee on Intelligence, told Newsweek that American law is still catching up to technology. “As new technology emerged over the last few decades that has helped us connect with the rest of the world, the notion of privacy has similarly evolved,” he wrote in an email. “The need to protect consumer data has gained more attention as social media companies have become more interconnected in our daily lives and data breaches have become the norm.”

The American regulatory framework regarding privacy has been wary of affecting the value of data to targeted advertising. But social media platforms have little else to sell. In fact, the CEO of Cambridge Analytica’s parent company, SCL, Nigel Oakes, worked at the corporate event division of global ad giant Saatchi & Saatchi, before venturing into the dark arts of propaganda and election influence.

“In the case of Facebook and other companies, what we’ve seen is a realization that there is a dark underbelly to social media and the information we share online,” Warner wrote. “While these companies are great American success stories and we shouldn’t be regulating them into oblivion, it is time for them to accept responsibility for the potential misuse of their platforms.”

Silicon Valley’s leaders tend libertarian, and even those who have publicly criticized Facebook, including Elon Musk and Apple’s Tim Cook, have never agitated for more legal oversight into their industry. "I think the best regulation is no regulation, is self-regulation," Cook said in an interview about Facebook with Recode's Kara Swisher and MSNBC's Chris Hayes, to air April 6. "However, I think we're beyond that here.”  

The Apple exec then uttered a line that sounds startlingly European: "Privacy to us is a human right, a civil liberty.”