Two quick news items to promote and solicit viewpoints.
First, I was surprised by
this statement a couple of days ago. "The 89 percent of users served from Facebook Ireland—even those who
don’t live in EU countries—will already benefit from the GDPR’s legal
protection, regardless of public promises, and can seek redress through
European regulators and courts."
If it is true that these global users -- all except the US and Canada -- are served from Ireland, then according to Article 3(1), all 1.9 billion of them should be due full GDPR protections and rights as of 25 May. It seems to me that that, combined with the Article 5 requirements for purpose specification and limitation plus the heightened awareness around data abuse, could equal a significant revenue impact for Facebook.
Make sense?
Of course, if the impact is significant enough, it could motivate FB to restrict Ireland to serving EU residents and deal with the rest of the globe from elsewhere.
Second, that highlights the question of how successful FB will be in getting users to consent to purposes that go beyond those necessary to facilitate social exchanges. And
this article says that FB has started rolling out the requests. FB provided a sample of a consent request for facial recognition. (I'll try to embed it here, but it didn't work last time.) I can't see how any data protection authority is going to find this acceptable. (But then, the lead DPA for FB will be Ireland's Helen Dixon, who has until now shown no backbone in standing up to FB re Max Schrem's complaints.)
The left screen asks for consent for facial recognition. But instead of the "affirmative action" choices being Accept/Refuse or Allow/Disable, they are "Accept and Continue" or "Manage Data Setting."
Problem #1: The request is not "clear" and "transparent" as required by the GDPR. A request to accept or decline a given type of data collection should offer accept or decline actions. Instead, users can accept, or they can . . . ugg, yuck, "manage my data settings"? Sounds hard. I'll just accept.
If you do select Manage Data Setting -- that is, if you want to say NO -- you're presented (I presume) with the screen on the right. This does nothing but ask AGAIN if Facebook can use facial recognition. Even I (a trained sceptic) initially thought this was a different question. The choices after this question -- allow/don't allow -- are the ones that ought to have been presented on the left screen.
Finally, note that according to one quote in this article, FB itself evidently thinks that GDPR protections apply only in the EU, not for the 1.9 billion served from Ireland. Namely: "The company says that “people in the EU will see specific details
relevant only to people who live there, like how to contact our Data
Protection Officer under GDPR.”
Cheers,
tw