Most who are interested in the tech space are aware that the General Data Protection Regulation is set to go into effect on May 25, and it’s important for publishers and online ad platforms such as Facebook and Google to be in compliance with the new EU privacy rules by then.
However, Facebook in particular could be planning something sneaky as far as user data is concerned, despite the fact that U.S. lawmakers are scrutinizing its practices right now. While the new EU privacy rules do offer more protection for users in terms of their data, there is still a loophole Facebook might try to enter through, which demonstrates that users still can’t let their guard down, even with the GDPR in place.
EU privacy rules: old versus new
To get ready for the GDPR, companies will need a full understanding of how privacy rules for Europeans are changing, which is an additional complication to the fallout from the data scandal involving Facebook and Cambridge Analytica. Unfortunately, recent studies have shown that many companies that will be affected by the new EU privacy rules aren’t in compliance yet, and almost all of those that believe they are compliant actually are not, based on their responses to other questions about GDPR compliance.
Goldman Sachs analyst Heather Bellini explained the differences between the old and the new EU privacy rules and the impacts on Facebook and Google in a recent note. The GDPR is aimed at providing greater protection and control for citizens of the European Union over their personal data, and it impacts all companies that offer services to EU citizens, regardless of their geographic location.
The biggest change the GDPR is making to EU privacy rules is the requirement that companies get users’ consent to use their information. According to Bellini, ad firms must “demonstrate a legitimate interest in processing user data, or secure explicit permission to process the data.” The new EU privacy rules also add the right to be forgotten, an issue that has arisen from time to time in Europe. Under this provision, individuals can demand that their information be deleted from online sources.
Bellini sums up the changes between the current and new EU privacy rules in these diagrams:
The timing of the GDPR is interesting, given the data privacy scandal Facebook is dealing with right now. The implementation date had already been set for quite some time, but the Cambridge Analytica issue arose during the weeks and months leading up to it—the same timeframe in which the GDPR really began to call attention to data privacy.
Options for Facebook and Google to secure consent under GDPR
The Goldman analyst also outlined the procedures she believes Facebook and Google will follow to become compliant with the new EU privacy rules. She noted that because they both have relationships directly with users. This will enable them to directly request consent from users to target them with ads using their data.
She also noted that both Facebook and Google regularly update their mobile apps and terms of service, so she believes users are already used to getting prompts to accept updated terms. She expects a similar prompt from both Facebook and Google, although she also notes that the language in the prompt will have to be clearer and include more specific disclosures than previous updates to terms of service. However, she doesn’t expect any “material expense” to be involved with such a campaign. Google has already updated its privacy site to indicate that it will probably follow this same path by updating its terms of service.
In order for user consent to be valid under the new EU privacy rules, it must fulfill these criteria:
One loophole Facebook could use in the GDPR
Most importantly, Bellini also explained one loophole in the new EU privacy rules that she believes Facebook may exploit, which has to do with “legitimate interest.” She explained that the GDPR does not require companies to secure users’ content to collect their data “if they can demonstrate a legitimate interest in processing the data.” This interest doesn’t necessarily have to fall under a legal obligation.
Examples provided under the new EU privacy rules include preventing fraud, processing data for direct marketing, or keeping IT systems safe and secure. However, she also emphasizes that companies which demonstrate such a “legitimate interest” in collecting users’ data must still tell them that they are processing their data.
Bellini expects Facebook to exploit this loophole instead of trying to get each user to consent to having their data collected and processed. She even pointed to language recently added to the social media firm’s data policy which could signal its intention to use the “legitimate interest” loophole. The language is aimed at explaining how users’ information will be used:
EU could still block Facebook’s attempt
However, Bellini also explained that the GDPR also states that these legitimate interests may be “overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.” Thus, if Facebook does try to use this “legitimate interest” loophole, it might not work because it could violate users’ personal interests.
Morgan Stanley analyst Brian Nowak also mentioned this loophole in his own note on the GDPR recently, and he explained how lawmakers could decide whether companies such as Facebook actually do have a “legitimate interest” in processing users’ data. He said that lawmakers “will perform a ‘balancing test’ to consider the interests of the company vs the data rights of the consumer.” In his view, this loophole could be reserved for jobs such as preventing fraud or crime and helping consumers and society in other ways, although he also noted that the scope of it wasn’t made very clear in the new EU privacy rules.
Will users give their consent under the new EU privacy rules?
Bellini thinks it’s too early to know whether Facebook and Google users will provide their consent under the GDPR when it goes into effect next month. However, she does feel that both companies are able to tailor user experiences better when they have their data by providing recommendations for additional content they might like.
She also points out that the GDPR requires companies to let users opt out or revoke their consent without penalizing them by not allowing them the same access as they would have if they did consent. While this will likely keep companies from requiring consent to use their services or apps, she notes that Facebook and Google can continue to serve up ads to users who don’t consent. The only difference is that such users won’t receive ads that target them based on their personal data. Instead, companies will likely target them based on contextual data, such as through web searches.