GDPR, Facebook Bring Customer Data Protection Into The Limelight
Insofar as Facebook’s customer data issue emerged while the marketplace was fixated on GDPR compliance, it should come as no shock that some are connecting the two concepts.
Earlier this month, the Trans Atlantic Consumer Dialogue (TACD) wrote a letter urging Facebook to comply with the EU-centric GDPR on a global basis.
CCW Digital contributor Deborah Beckwin detailed the story – and the broader ramifications of the GDPR – in a recent piece. That article is featured below.
Shortly after Beckwin issued her story, Facebook confirmed its plan for GDPR compliance.
Earlier this month, the Trans Atlantic Consumer Dialogue (TACD), a joint US and EU consumer advocacy group, wrote Facebook’s CEO Mark Zuckerberg to adopt the principles of the General Data Protection Regulation for all users (not just those in the EU).
This letter is on the heels of recent revelations of UK political consulting firm, Cambridge Analytica, using data of over millions of Facebook users for micro-targeted ads in President Trump’s 2016 election campaign as well as the winning Brexit campaign.
“We urge you to confirm your company’s commitment to global compliance with the GDPR and provide specific details on how the company plans to implement these changes in your testimony before the US Congress this week,” the letter stated. “There is simply no reason for your company to provide less than the best legal standards currently available to protect the privacy of Facebook users.”
TACD hopes that Facebook will globally adopt the GDPR to prevent future data breaches.
What Is the GDPR?
The EU created the GDPR which will become effective on May 25, 2018. This legislation replaces the Data Protection Directive 95/46/ec. The goal of this legislation is to have one security law that all 28 EU member states can use. This means that member states will no longer need to create their own individual data protection laws.
According to Digital Guardian, the GDPR requires better safeguards for processing and moving of personal data. This law would include anonymizing collected data, notifications of data breaches, the safe transfer of data across borders, and consent from subjects for data processing. Any business, no matter its location, that markets services or goods to EU resident would be required to comply with this law.
Here are some key impacts to consider:
- More stringent and uniform data notification policies, including having to notify a supervisory authority within 72 hours of a personal data breach.
- A mandatory data protection officer, whose job will involve monitoring the compliance of the GDPR within a business.
- Clearer consent for data users. Opting out will no longer be the default. “A statement or a clear affirmative action” will be required.
- Restrictions and transparency on customer profiling. Target marketing has become the de rigueur marketing practice. The GDPR will greatly impact how businesses market to potential customers, as users will now be notified of when profiling may occur as well as the methods and consequences of data collection. Users will also have the autonomy to object to data processing and profiling at any time.
- Users can request personal data erasure. Although this is not an unlimited right, this gives users more personal control over how their data is used.
Other new limits and refinements on data privacy include:
- How data is transferred internationally
- Clearer delineation between data “processors” and “controllers”
- Pseudonymization of personal data
- GDPR code of conduct and certifications to show compliance
- GDPR violations
Facebook’s Entanglements with the Federal Government
On April 12th, Zuckerberg was questioned in two congressional hearings by almost 100 Congress members about his company’s current efforts and plans to secure user data. Lawmakers remain skeptical of Facebooks capabilities to clean up its act.
Zuckerberg apologized for the data breach and conceded that regulation of social media platforms would be inevitable. But critics are unsure if Congress will actually take the necessary steps to regulate since Republican leadership has been more concerned with stripping away current regulation.
Zuckerberg may be done with Congress for now, but his company is just getting started with its involvement with the federal government. The Federal Trade Commission is currently investigating Facebook for violation of the FTC Act, which could mean hefty fines for the social media company.
GDPR’s Potential Impact on Businesses and Customers
Although the TACD has reached out to Facebook to comply with the GDPR, this sweeping legislation will become effective in a little over than a month and will have some widespread implications for any businesses who have customers in the EU. To help businesses prepare, the International Association of Privacy Professionals (IAPP) has compiled a list of 10 operational impacts of the GDPR.
Although it’s clear that data privacy must be increased, especially to increase trust between customers and businesses, the way companies do business will subsequently need to change. The IAPP provides a 12-step guide on how to prepare.
It remains to be seen how the GDPR will impact American legislation as well as restore customer trust—but it may be a needed step in the right direction.