ar130405 - Fotolia

Facebook is ready for GDPR, says Zuckerberg

Facebook chief Mark Zuckerberg has claimed the social network is ready for GDPR, but failed to give any answers to the most probing questions posed by European MEPs

Facebook will be fully compliant with the EU’s General Data Protection Regulation (GDPR) by the compliance deadline of 25 May 2018, Facebook founder and chief executive Mark Zuckerberg has told members of the European parliament in Brussels.

The Facebook app has already presented European members with the revised settings required and “a large percentage of the users had already reviewed them”, he said.

The GDPR is aimed at improving privacy rights for consumers, and it was hoped that the regulation will provide protections for Facebook users around the world through provisions in the regulation, such as requiring one of six legal bases for collecting and using personal data.

Any company that fails to comply with the GDPR, which includes obligations to protect personal data and report any breaches, could face fines of up to 4% of its global annual turnover, which in Facebook’s case would be $1.6bn, based on 2017 figures.

However, Zuckerberg did not answer the question about whether Facebook had moved the data of 1.5 billion users out of reach of the law by shifting the responsibility for all users outside the US, Canada and the EU from its international headquarters in Ireland to its main offices in California to a site governed by US law rather European law.

This was one of several key questions that Zuckerberg dodged in the 90-minute session, with most commentators blaming the format of the session in which all the questions were put to him before he was asked to respond.

The format allowed Zuckerberg to “cherry-pick his responses and not respond to each individual point”, said Damian Collins, chair of the UK Parliament’s Digital Culture Media and Sport Committee, told the BBC.

Read more about GDPR

Beyond apologising for Facebook’s role and for Facebook’s tools being “used for harm”, Zuckerberg said very little about the data exploitation scandal involving London-based data-mining firm Cambridge Analytica, in which the profile data of nearly 1.1 million Britons out of a total of 87 million Facebook users was extracted by a quiz app downloaded by just 305,000 people.

However, he did say he expected to find other apps that had misused customer data beyond the 200 already suspended, adding that an internal investigation into thousands of third-party developers to see if there are similar cases to the Cambridge Analytica case would take “many months”.

Other key questions Zuckerberg failed to answer included questions about whether Facebook was a monopoly, how it plans to use data from its WhatsApp division, why Facebook collects and stores data about non-users in so-called “shadow profiles”, users’ ability to opt out of political advertising, and the true scale of data abuse on the platform.

The European commissioner on justice and consumer affairs, Vera Jourová, said she would be closely following the work of national data protection authorities in enforcing the GDPR. “As of Friday, strong new EU data protection rules will be in place,” The Guardian quoted her as saying. “These rules will have teeth and protect Europeans. They come just in time.”

Facebook has rolled out consent-gathering controls and a set of tools worldwide to let users exercise their rights under GDPR, such as downloading and deleting data.

Facebook is among 30 organisations under investigation by the UK Information Commissioner’s Office (ICO) for misusing personal data for political and other purposes. The ICO is also looking at how data was collected from a third-party app on Facebook and shared with Cambridge Analytica.

While Facebook has been cooperating with the ICO, information commissioner Elizabeth Denham said in early April that it is too early to say whether the changes the social networking firm is making are sufficient under the law, commenting that this an “important time” for privacy rights.

Read more on Privacy and data protection