RE: [projectvrm] Facebook and GDPR

["T.Rob" < >]

Hi Tim,

 

> FB itself evidently thinks that GDPR protections apply only in the EU, not for the 1.9 billion served from Ireland.

 

This reminds me of my days at Equifax back around 1992.  The company sold unqualified mailing lists at a rate of several names for a dollar.  Qualified lists were far more valuable but qualification that rises to the definition of a credit inquiry would need to be both authorized and reported to the consumer.  The challenge then was to improve the quality and per capita price of the list without triggering a formal credit inquiry. 

 

Fortunately for Equifax, their Telecredit division (the predecessor company I worked for before the merger) performed both check and card authorizations, ran a robust investigatory unit, and maintained a comprehensive derogatory information file.  So they had plenty of 1^st party transactional data and personal information on which credit worthiness could be estimated without consulting the consumer's credit file.

 

The hard part was figuring out how the data could legally be used depending on the combination of three different jurisdictions:

1.     The US state where the transaction took place.

2.     The US state of the buyer's permanent residence.

3.     The US state of jurisdiction of the company making the sale.

 

Our software had to determine how much qualification we could do on a given consumer based on as many transactions as we had 1^st party knowledge of and for each of those the intersection of as many as three different jurisdictions.  Equifax ultimately had to answer to Federal regulators but the system lived in the conflicting interests of the various jurisdictions and a viable argument could be made for just about any use of the data by playing them off one another.  The anticipated benefit of any potential action had to exceed by a large margin the cost of untangling the jurisdictional issues, and with a fair chance of success.

 

Did this work? The model Equifax implemented was so successful it got spun off as Choice Point - the company that sells domestic surveillance to the US government agencies who are forbidden from conducting exactly that sort of surveillance. 

 

The issue you describe is similar, but mapped along country-level jurisdictions. The GDPR might claim jurisdiction based on physical location of servers and data but another country, China for example, might object to imposition of GDPR protocols to its own residents, especially when that potentially gives the data subjects more rights than does their home jurisdiction.

 

Having lived through the domestic version of this, the notion that "people in the EU will see specific details relevant only to people who live there" seems to me to be exactly the approach I'd expect from a company that grew up in steeped in US business culture and accustomed to US regulatory traditions.  Absent a global version of the FTC, hiding behind jurisdictional conflicts should be even more effective than in the domestic case. 

 

My prediction is that Zuck will do exactly that and that this tactic will be successful for the foreseeable future.  "I'd be happy to bolster user protections even further if only someone authoritative (not us!) would iron out the jurisdictional conflicts. Oh by the way, who or what is authoritative over these issues? Let me know when you figure that out, yeah?"  Time will tell how far I'm off base here but I don't see our policy grasp catching up to our technology reach any time soon and jurisdictional conflict largely defines the delta between the two.

 

Kind regards,

-- T.Rob

 

T.Robert Wyatt, Managing partner

IoPT Consulting, LLC

+1 704-443-TROB (8762) Voice/Text

https://ioptconsulting.com

https://twitter.com/deepqueue

 

From: Tim Walters [mailto: ]
Sent: Wednesday, April 18, 2018 13:05 PM
To: ProjectVRM list
Subject: [projectvrm] Facebook and GDPR

 

Two quick news items to promote and solicit viewpoints.

First, I was surprised by this statement a couple of days ago. "The 89 percent of users served from Facebook Ireland—even those who don’t live in EU countries—will already benefit from the GDPR’s legal protection, regardless of public promises, and can seek redress through European regulators and courts."

If it is true that these global users -- all except the US and Canada -- are served from Ireland, then according to Article 3(1), all 1.9 billion of them should be due full GDPR protections and rights as of 25 May. It seems to me that that, combined with the Article 5 requirements for purpose specification and limitation plus the heightened awareness around data abuse, could equal a significant revenue impact for Facebook.

Make sense?

Of course, if the impact is significant enough, it could motivate FB to restrict Ireland to serving EU residents and deal with the rest of the globe from elsewhere.

 

Second, that highlights the question of how successful FB will be in getting users to consent to purposes that go beyond those necessary to facilitate social exchanges. And this article says that FB has started rolling out the requests. FB provided a sample of a consent request for facial recognition. (I'll try to embed it here, but it didn't work last time.) I can't see how any data protection authority is going to find this acceptable. (But then, the lead DPA for FB will be Ireland's Helen Dixon, who has until now shown no backbone in standing up to FB re Max Schrem's complaints.)

The left screen asks for consent for facial recognition. But instead of the "affirmative action" choices being Accept/Refuse or Allow/Disable, they are "Accept and Continue" or "Manage Data Setting."

Problem #1: The request is not "clear" and "transparent" as required by the GDPR. A request to accept or decline a given type of data collection should offer accept or decline actions. Instead, users can accept, or they can . . . ugg, yuck, "manage my data settings"? Sounds hard. I'll just accept.

If you do select Manage Data Setting -- that is, if you want to say NO -- you're presented (I presume) with the screen on the right. This does nothing but ask AGAIN if Facebook can use facial recognition. Even I (a trained sceptic) initially thought this was a different question. The choices after this question -- allow/don't allow -- are the ones that ought to have been presented on the left screen.

Finally, note that according to one quote in this article, FB itself evidently thinks that GDPR protections apply only in the EU, not for the 1.9 billion served from Ireland. Namely: "The company says that “people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR.”

Cheers,

tw