It’s important to understand the relationship between the social giant and the increasing momentum of regulations – let’s look at Facebook and GDPR.
The social has successfully paralyzed US regulators for years. There is a distinguishable difference between US lawmakers’ and regulators’ approach to privacy and their European Union (EU) counterparts. With the elimination of net neutrality, the United States is on a crash and burn path with regard to regulations. The EU has taken the complete opposite approach. The General Data Protection Regulation (GDPR), although not perfect, is more aware of the digital challenges ahead and is taking steps to address them.
Facebook is often both hyper aggressive and tone-deaf to privacy concerns in their data collection efforts. Without the extraordinary circumstances of the 2016 elections, it’s doubtful they would be as ‘forthcoming’ as they have been. The push from the European regulators with GDPR actually benefits many American users of the service as well.
– Lawrence Blakeman, CEO at QuaEra Insights and industry expert on analytic technologies
Facebook and GDPR
The recently implemented GDPR is a sweeping set of rules and regulations intended to give citizens more control over their personal data. Facebook, as a data handler falls into both categories of data controller and data processor. According to Facebook’s website:
A company is a data controller when it has the responsibility of deciding why and how (the ‘purposes’ and ‘means’) the personal data is processed.
- Under the GDPR, data controllers have to adopt compliance measures to cover how data is collected, what it’s used for and how long it’s retained. They also need to make sure people can access the data about them.
- Data controllers must ensure data processors meet their contractual commitments to process data safely and legally.
A company is a data processor when it processes personal data on behalf of a data controller. Under the GDPR, data processors have obligations to process data safely and legally.
While Facebook operates the majority of our services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties.
Facebook and GDPR have a tricky relationship; the social stated that it spent a year and a half preparing to meet GDPR requirements, and right off the bat, it got slammed—hard. On day one, Facebook and two of its subsidiaries—Instagram and WhatsApp—were hit with multiple lawsuits regarding their use of personal data and communication around information-sharing consent. The lawsuits were spearheaded by Austrian lawyer and privacy activist Max Schrems.
The Norwegian Consumer Council released a report on June 27, 2018, titled “Deceived by Design: How Tech Companies Use Dark Patterns to Discourage Us from Exercising Our Rights to Privacy,” which states in part:
In the example of face recognition, however, Facebook effectively hides privacy-intrusive default settings from the user. Despite the headline “Turn on face recognition if you want us to use this technology”, users who want to change the setting and turn on face recognition, do not have to do anything except click “Accept and continue”. Users that want to keep face recognition turned off, have to go into the settings and actively select off. For the many who do not click manage data settings, the least privacy friendly choice is in fact pre-selected. Note that choosing the most privacy friendly option requires four more clicks than the least privacy friendly option. That neither option is pre-selected once one have clicked through form “Manage data settings”, only sugar-coats the fact that the least privacy friendly option in fact is pre-selected through the design.
About Acreto IoT Security
Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.