The imminent implementation of the EU's General Data Protection Regulation (GDPR) has been hailed as a victory for global privacy advocates; since the regulation severely limits the collection of data on Europeans — even when they're communicating with non-Europeans — services like Facebook would risk running afoul of the GDPR if they collected data on anyone in a way that violated EU rules, and since the penalties for violating the GDPR are incredibly draconian, the benefits of such surveillance would surely be outweighed by the risk of getting it wrong.
Apparently, Mark Zuckerberg disagrees. In an interview with Reuters' David Ingram and Joseph Menn, Facebook's founder signaled that Americans waiting to have the GDPR applied to them shouldn't hold their breath.
The EU's privacy rules are an interesting inversion of the usual problem of the close interconnectedness of our social networks when it comes to privacy. In the USA, the NSA is only supposed to spy on communications that involve foreigners (the NSA is theoretically prohibited from conducting domestic surveillance), but since virtually everything we do online crosses at least one border, the NSA ends up spying on Americans with approximately the same ardor that it approaches the rest of the world with.
The GDPR flips this dynamic on its head. If you're operating a platform on the scale of Facebook or Google, it's nearly impossible to be sure that the people you're spying on aren't in the EU, or aren't EU citizens (for example, I hold an EU passport, but I'm writing these words in my home in California). Almost any social interaction you spy on has a moderate likelihood of including at least one person who is covered by the GDPR.
In that way, EU privacy rules should end up being world privacy rules. This has led Clay Shirky to quip that Germany is playing the same role in global privacy that California plays in global emissions standards: a source of extremely stringent consumer protection regulations, in a market that no global business can afford to skip, meaning that nearly every car sold nearly everywhere benefits from California emissions standards, and (in theory) nearly every internet user nearly everywhere gets to be treated like a German internet user when it comes to privacy.
But apparently not. Zuck apparently has some plan to sort the surveillable from the protected, and is confident enough that he'll get it right that he's willing to bet billions of dollars on it — this being the scale of the fines that Facebook could pay under the GDPR if they slip up.
It's a characteristically arrogant move: Zuck is betting that he can do something that is technically impossible, and also betting that Americans won't mind that he's decided to treat them worse than Europeans. I'm betting he's wrong on both counts. He usually is, and honestly, he always has been.
GDPR is likely to hurt profit at Facebook because it could reduce the value of ads if the company cannot use personal information as freely and the added expense of hiring lawyers to ensure compliance with the new law.
Data is central to Facebook's advertising business, and it has not yet sketched out a satisfying plan for how it plans to comply, said Pivotal Research analyst Brian Wieser.
"I haven't heard any solutions from Facebook to get ahead of the problem yet," Wieser said.
Failure to comply with the law carries a maximum penalty of up to 4 percent of annual revenue.
It should not be difficult for companies to extend EU practices and policies elsewhere because they already have systems in place, said Nicole Ozer, director of technology and civil liberties at the American Civil Liberties Union of California.
Exclusive: Facebook CEO stops short of extending European privacy globally [David Ingram and Joseph Menn/Reuters]