All posts in “GDPR”

Zuckerberg didn’t make any friends in Europe today

Speaking in front of EU lawmakers today Facebook’s founder Mark Zuckerberg namechecked the GDPR’s core principles of “control, transparency and accountability” — claiming his company will deliver on all that, come Friday, when a new European Union data protection framework, GDPR, starts being applied, finally with penalties worth the enforcement.

However there was little transparency or accountability on show during the session, given the upfront questions format which saw Zuckerberg cherry-picking a few comfy themes to riff on after silently absorbing an hour of MEPs’ highly specific questions with barely a facial twitch in response.

The questions MEPs asked of Zuckerberg were wide ranging and often drilled deep into key pressure points around the ethics of Facebook’s business — ranging from how deep the app data misuse privacy scandal rabbithole goes; to whether the company is a monopoly that needs breaking up; to how users should be compensated for misuse of their data.

Is Facebook genuinely complying with GDPR, he was asked several times (unsurprisingly, given the scepticism of data protection experts on that front). Why did it choose to shift ~1.5BN users out of reach of the GDPR? Will it offer a version of its platform that lets people completely opt out of targeted advertising, as it has studiously avoided doing so so far.

Why did it refuse a public meeting with the EU parliament? Why has it spent “millions” lobbying against EU privacy rules? Will the company commit to paying taxes in the markets where it operates? What’s it doing to prevent fake accounts? What’s it doing to prevent bullying? Does it regulate content or is it a neutral platform?

Zuckerberg made like a sponge and absorbed all this fine-grained flak. But when the time came for responses the data flow was not reciprocal; Self-serving talking points on self-selected “themes” was all he had come prepared to serve up.

Yet — and here the irony is very rich indeed — people’s personal data flows liberally into Facebook, via all sorts of tracking technologies and techniques.

And as the Cambridge Analytica data misuse scandal has now made amply clear, people’s personal information has also very liberally leaked out of Facebook — oftentimes without their knowledge or consent.

But when it comes to Facebook’s own operations, the company maintains a highly filtered, extremely partial ‘newsfeed’ on its business empire — keeping a tight grip on the details of what data it collects and why.

Only last month Zuckerberg sat in Congress avoiding giving straight answers to basic operational questions. So if any EU parliamentarians had been hoping for actual transparency and genuine accountability from today’s session they would have been sorely disappointed.

Yes, you can download the data you’ve willingly uploaded to Facebook. Just don’t expect Facebook to give you a download of all the information it’s gathered and inferred about you.

The EU parliament’s political group leaders seemed well tuned to the myriad concerns now flocking around Facebook’s business. And were quick to seize on Zuckerberg’s dumbshow as further evidence that Facebook needs to be ruled.

Thing is, in Europe regulation is not a dirty word. And GDPR’s extraterritorial reach and weighty public profile looks to be further whetting political appetites.

So if Facebook was hoping the mere appearance of its CEO sitting in a chair in Brussels, going through the motions of listening before reading from his usual talking points, that looks to be a major miscalculation.

“It was a disappointing appearance by Zuckerberg. By not answering the very detailed questions by the MEPs he didn’t use the chance to restore trust of European consumers but in contrary showed to the political leaders in the European Parliament that stronger regulation and oversight is needed,” Green MEP and GDPR rapporteur Jan Philipp Albrecht told us after the meeting.

Albrecht had pressed Zuckerberg about how Facebook shares data between Facebook and WhatsApp — an issue that has raised the ire of regional data protection agencies. And while DPAs forced the company to turn off some of these data flows, Facebook continues to share other data.

The MEP had also asked Zuckerberg to commit to no exchange of data between the two apps. Zuckerberg determinedly made no such commitment.

Claude Moraes, chair of the EU parliament’s civil liberties, justice and home affairs (Libe) committee, issued a slightly more diplomatic reaction statement after the meeting — yet also with a steely undertone.

“Trust in Facebook has suffered as a result of the data breach and it is clear that Mr. Zuckerberg and Facebook will have to make serious efforts to reverse the situation and to convince individuals that Facebook fully complies with European Data Protection law. General statements like ‘We take privacy of our customers very seriously’ are not sufficient, Facebook has to comply and demonstrate it, and for the time being this is far from being the case,” he said.

“The Cambridge Analytica scandal was already in breach of the current Data Protection Directive, and would also be contrary to the GDPR, which is soon to be implemented. I expect the EU Data Protection Authorities to take appropriate action to enforce the law.”

Damian Collins, chair of the UK parliament’s DCMS committee, which has thrice tried and failed to get Zuckerberg to appear before it, did not mince his words at all. Albeit he has little reason to, having been so thoroughly rejected by the Facebook founder — and having accused the company of a pattern of evasive behavior to its CTO’s face — there’s clearly not much to hold out for now.

“What a missed opportunity for proper scrutiny on many crucial questions raised by the MEPs. Questions were blatantly dodged on shadow profiles, sharing data between WhatsApp and Facebook, the ability to opt out of political advertising and the true scale of data abuse on the platform,” said Collins in another reaction statement after the meeting. “Unfortunately the format of questioning allowed Mr Zuckerberg to cherry-pick his responses and not respond to each individual point.

“I echo the clear frustration of colleagues in the room who felt the discussion was shut down,” he added, ending with a fourth (doubtless equally forlorn) request for Zuckerberg to appear in front of the DCMS Committee to “provide Facebook users the answers they deserve”.

In the latter stages of today’s EU parliament session several MEPs — clearly very exasperated by the straightjacked format — resorted to heckling Zuckerberg to press for answers he had not given them.

[embedded content]

“Shadow profiles,” interjected one, seizing on a moment’s hesitation as Zuckerberg sifted his notes for the next talking point. “Compensation,” shouted another, earning a snort of laughter from the CEO and some more theatrical note flipping to buy himself time.

Then, appearing slightly flustered, Zuckerberg looked up at one of the hecklers and said he would engage with his question — about shadow profiles (though Zuckerberg dare not speak that name, of course, given he claims not to recognize it) — arguing Facebook needs to hold onto such data for security purposes.

Zuckerberg did not specify, as MEPs had asked him to, whether Facebook uses data about non-users for any purposes other than the security scenario he chose to flesh out (aka “keeping bad content out”, as he put it).

He also ignored a second follow-up pressing him on how non-users can “stop that data being transferred”.

“On the security side we think it’s important to keep it to protect people in our community,” Zuckerberg said curtly, before turning to his lawyer for a talking point prompt (couched as an ask if there are “any other themes we wanted to get through”).

His lawyer hissed to steer the conversation back to Cambridge Analytica — to Facebook’s well-trodden PR about how they’re “locking down the platform” to stop any future data heists — and the Zuckbot was immediately back in action regurgitating his now well-practiced crisis PR around the scandal.

What was very clearly demonstrated during today’s session was the Facebook founder’s preference for control — that’s to say control which he is exercising.

Hence the fixed format of the meeting, which had been negotiated prior to Facebook agreeing to meet with EU politicians, and which clearly favored the company by allowing no formal opportunity for follow ups from MEPs.

Zuckerberg also tried several times to wrap up the meeting — by insinuating and then announcing time was up. MEPs ignored these attempts, and Zuckerberg seemed most uncomfortable at not having his orders instantly carried out.

Instead he had to sit and watch a micro negotiation between the EU parliament’s president and the political groups over whether they would accept written answers to all their specific questions from Facebook — before he was publicly put on the spot by president Antonio Tajani to agree to provide the answers in writing.

Although, as Collins has already warned MEPs, Facebook has had plenty of practice at generating wordy but empty responses to politicians’ questions about its business processes — responses which evade the spirit and specifics of what’s being asked.

The self-control on show from Zuckerberg today is certainly not the kind of guardrails that European politicians increasingly believe social media needs. Self-regulation, observed several MEPs to Zuckerberg’s face, hasn’t worked out so well has it?

The first MEP to lay out his questions warned Zuckerberg that apologizing is not enough. Another pointed out he’s been on a contrition tour for about 15 years now.

Facebook needs to make a “legal and moral commitment” to the EU’s fundamental values, he was told by Moraes. “Remember that you’re here in the European Union where we created GDPR so we ask you to make a legal and moral commitment, if you can, to uphold EU data protection law, to think about ePrivacy, to protect the privacy of European users and the many millions of European citizens and non-Facebook users as well,” said the Libe committee chair.

But self-regulation — or, the next best thing in Zuckerberg’s eyes: ‘Facebook-shaped regulation’ — was what he had come to advocate for, picking up on the MEPs’ regulation “theme” to respond with the same line he fed to Congress: “I don’t think the question here is whether or not there should be regulation. I think the question is what is the right regulation.”

“The Internet is becoming increasingly important in people’s lives. Some sort of regulation is important and inevitable. And the important thing is to get this right,” he continued. “To make sure that we have regulatory frameworks that help protect people, that are flexible so that they allow for innovation, that don’t inadvertently prevent new technologies like AI from being able to develop.”

He even brought up startups — claiming ‘bad regulation’ (I paraphrase) could present a barrier to the rise of future dormroom Zuckerbergs.

Of course he failed to mention how his own dominant platform is the attention-sapping, app gobbling elephant in the room crowding out the next generation of would-be entrepreneurs. But MEPs’ concerns about competition were clear.

Instead of making friends and influencing people in Brussels, Zuckerberg looks to have delivered less than if he’d stayed away — angering and alienating the very people whose job it will be to amend the EU legislation that’s coming down the pipe for his platform.

Ironically one of the few specific questions Zuckerberg chose to answer was a false claim by MEP Nigel Farage — who had wondered whether Facebook is still a “neutral political platform”, griping about drops in engagement for rightwing entities ever since Facebook’s algorithmic changes in January, before claiming, erroneously, that Facebook does not disclose the names of the third party fact checkers it uses to help it police fake news.

So — significantly, and as was also evident in the US Senate and Congress — Facebook was taking flak from both left and right of political spectrum, implying broad, cross-party support for regulating these algorithmic platforms.

Actually Facebook does disclose those fact checking partnerships. But it’s pretty telling that Zuckerberg chose to expend some of his oh-so-slender speaking time to debunk something that really didn’t merit the breath.

Farage had also claimed, during his three minutes, that without “Facebook and other forms of social media there is no way that Brexit or Trump or the Italian elections could ever possibly have happened”. 

Funnily enough Zuckerberg didn’t make time to comment on that.

Zuckerberg avoided tough questions thanks to short EU testimony format

Mark Zuckerberg got to cherry-pick the questions he wanted to answer from EU Parliament after it spent an hour taking turns rattling off queries in bulk before leaving just a half-hour for his batched responses. Zuckerberg immediately trotted out his dorm room story of not expecting Facebook’s current duty to safety and democracy, and repeated his pledge to broaden the company’s responsibility. While he’s vowed to have his team follow-up with point-by-point replies, he managed to escape the televised testimony without any newsworthy gaffes.

The public will have to wait for canned, written responses to the toughest questions about why Facebook didn’t disclose the Cambridge Analytica issue immediately, how it uses shadow profiles and what he thinks about Facebook, Instagram and WhatsApp being broken up. If Zuckerberg played it safe during his U.S. congressional testimony by being boring, he dodged scandal here by using the abbreviated format to bend the testimony toward his most defensible positions.

Asked how the format was selected, a Facebook spokesperson tells me it was decided by the European Parliament. Facebook apparently only gave some guidelines about Mark Zuckerberg’s time. A UK member confirmed this is the standard format for Parliament meetings

Future testimonies by technology industry executives will be much more productive for the public if officials keep questions succinct and only ask the hard ones, executives are given ample time to answer them all and they use a question-answer format. No more of this question-question-question-question-answer-answer-goodbye.

Zuckerberg initially resisted the Brussels meeting with Parliament (technically not a “testimony”). Then it was slated to be private before public outcry led to the livestreaming of the session. While the questions were more pointed than those asked by U.S. congress, the overall feel with Zuckerberg seated next to Parliament members rather than in the hotseat before them gave the meeting a less consequential tone.

The Facebook CEO used his short answer period to explain that he feels like there’s plenty of new competition for Facebook, and that it actually aids competition by offering tools to enable small businesses to challenge big brands online. He cited that “dozens of percents” of European users have gone through Facebook’s GDPR settings, rolling them early so they’re dismissible until the May 25th deadline because, “The last thing we want is for people to go through the flows quicker than they need to and just hit OK.” That ignores the dark pattern designs built into that GDPR privacy flow, that while temporarily dismissible, does coerce users to consent by visually downplaying the buttons to opt out of giving Facebook data.

Zuckerberg laid out his thoughts about the future of regulation for social networks, noting that “Some sort of regulation is important and inevitable, and the important thing is to get this right.” He said that regulations would need to “allow for innovation, don’t inadvertently prevent new technologies like AI from being able to develop, and of course to make sure that new startups — the next student sitting in a college dorm room like I was — doesn’t have an undue burden in being able to build the next great product.” That’s positive, since blunt regulation could create a moat for Facebook.

But when Zuckerberg concluded his testimony, noting “I want to be sensitive to time because we are 15 minutes over” the scheduled 75-minute session length, several EU officials spoke up, angry that they felt their questions had been ignored. “Will you allow users to escape targeted advertising? I asked you six yes-or-no questions and got not a single answer, and of course, well, you asked for this format for a reason,” stated one member of Parliament. “I’ll make sure we follow up and get you answers to those,” Zuckerberg coldly responded. “We’re going to have someone come to do a full hearing soon to answer more of the technical questions as well.”

The combative atmosphere at the conclusion of the testimony means Facebook could encounter soured regulators in the future who might be emboldened by their disappointment in his appearance. Zuckerberg might have avoided losing the minds of the EU by dodging damning topics, but he sure didn’t win the hearts of Europe’s lawmakers.

Brexit data transfer gaps a risk for UK startups, MPs told

The uncertainty facing digital businesses as a result of Brexit was front and center during a committee session in the UK parliament today, with experts including the UK’s information commissioner responding to MPs’ questions about how and even whether data will continue to flow between the UK and the European Union once the country has departed the bloc — in just under a year’s time, per the current schedule.

The risks for UK startups vs tech giants were also flagged, with concerns voiced that larger businesses are better placed to weather Brexit-based uncertainty thanks to greater resources at their disposal to plug data transfer gaps resulting from the political upheaval.

Information commissioner Elizabeth Denham emphasized the overriding importance of the UK data protection bill being passed. Though that’s really just the baby step where the Brexit negotiations are concerned.

Parliamentarians have another vote on the bill this afternoon, during its third reading, and the legislative timetable is tight, given that the pan-EU General Data Protection Act (GDPR) takes direct effect on May 25 — and many provisions in the UK bill are intended to bring domestic law into line with that regulation, and complete implementation ahead of the EU deadline.

Despite the UK referendum vote to pull the country out of the EU, the government has committed to complying with GDPR — which ministers hope will lay a strong foundation for it to secure a future agreement with the EU that allows data to continue flowing, as is critical for business. Although what exactly that future data regime might be remains to be seen — and various scenarios were discussed during today’s hearing — hence there’s further operational uncertainty for businesses in the years ahead.

“Getting the data policy right is of critical importance both on the commercial side but also on the security and law enforcement side,” said Denham. “We need data to continue to flow and if we’re not part of the unified framework in the EU then we have to make sure that we’re focused and we’re robust about putting in place measures to ensure that data continues to flow appropriately, that it’s safeguarded and also that there is business certainty in advance of our exit from the EU.

“Data underpins everything that we do and it’s critically important.”

Another witness to the committee, James Mullock, a partner at law firm Bird & Bird, warned that the Brexit-shaped threat to UK-EU data flows could result in a situation akin to what happened after the long-standing Safe Harbor arrangement between the EU and the US was struck down in 2015 — leaving thousands of companies scrambling to put in place alternative data transfer mechanisms.

“If we have anything like that it would be extremely disruptive,” warned Mullock. “And it will, I think, be extremely off-putting in terms of businesses looking at where they will headquarter themselves in Europe. And therefore the long term prospects of attracting businesses from many of the sectors that this country supports so well.”

“Essentially what you’re doing is you’re putting the burden on business to find a legal agreement or a legal mechanism to agree data protection standards on an overseas recipient so all UK businesses that receive data from Europe will be having to sign these agreements or put in place these mechanisms to receive data from the European Union which is obviously one of our very major senders of data to this country,” he added of the alternative legal mechanisms fall-back scenario.

Another witness, Giles Derrington, head of Brexit policy for UK technology advocacy organization, TechUK, explained how the collapse of Safe Harbor had saddled businesses with major amounts of bureaucracy — and went on to suggest that a similar scenario befalling the UK as a result of Brexit could put domestic startups at a big disadvantage vs tech giants.

“We had a member company who had to put in place two million Standard Contractual Clauses over the space of a month or so [after Safe Harbor was struck down],” he told the committee. “The amount of cost, time, effort that took was very, very significant. That’s for a very large company.

“The other side of this is the alternatives are highly exclusionary — or could be highly exclusionary to smaller businesses. If you look at India for example, who have been trying to get an adequacy agreement with the EU for about ten years, what you’ve actually found now is a gap between those large multinationals, who can put in place binding corporate rules, standard contractual clauses, have the kind of capital to be able to do that — and it gives them an access to the European market which frankly most smaller businesses don’t have from India.

“We obviously wouldn’t want to see that in a UK tech sector which is an awful lot of startups, scale-ups, and is a key part of the ecosystem which makes the UK a tech hub within Europe.”

Denham made a similar point. “Binding corporate rules… might work for multinational companies [as an alternative data transfer mechanism] that have the ability to invest in that process,” she noted. “Codes of conduct and certification are other transfer mechanisms that could be used but there are very few codes of practice and certification mechanisms in place at this time. So, although that could be a future transfer mechanism… we don’t have codes and certifications that have been approved by authorities at this time.”

“I think it would be easier for multinational companies and large companies, rather than small businesses and certainly microbusinesses, that make up the lion’s share of business in the UK, especially in tech,” she added of the fall-back scenarios.

Giving another example of the scale of the potential bureaucracy nightmare, Stephen Hurley, head of Brexit planning and policy for UK ISP British Telecom, told the committee it has more than 18,000 suppliers. “If we were to put in place Standard Contractual Clauses it would be a subset of those suppliers but we’d have to identify where the flows of data would be coming from — in particular from the EU to the UK — and put in place those contractual clauses,” he said.

“The other problem with the contractual clauses is they’re a set form, they’re a precedent form that the Commission issues. And again that isn’t necessarily designed to deal with the modern ways of doing business — the way flows of data occurs in practice. So it’s quite a cumbersome process. And… [there’s] uncertainty as well, given they are currently under challenge before the European courts, a lot of companies now are already doing a sort of ‘belt and braces’ where even if you rely on Privacy Shield you’ll also put in place an alternative transfer mechanism to allow you to have a fall back in case one gets temporarily removed.”

A better post-Brexit scenario than every UK business having to do the bureaucratic and legal leg-work themselves would be the UK government securing a new data flow arrangement with the EU. Not least because, as Hurley mentioned, Standard Contractual Clauses are subject to a legal challenge, with legal question marks now extended to Privacy Shield too.

But what shape any such future UK-EU data transfer arrangement could take remains tbc.

The panel of witnesses agreed that personal data flows would be very unlikely to be housed within any future trade treaty between the UK and the EU. Rather data would need to live within a separate treaty or bespoke agreement, if indeed such a deal can be achieved.

Another possibility is for the UK to receive an adequacy decision from the EC — such as the Commission has granted to other third countries (like the US). But there was consensus on the panel that some form of bespoke data arrangement would be a superior outcome — for legal reasons but also for reciprocity and more.

Mullock’s view is a treaty would be preferable as it would be at lesser risk of a legal challenge. “I’m saying a treaty is preferable to a decision but we should take what we can get,” he said. “But a treaty is the ultimate standard to aim for.”

Denham agreed, underlining how an adequacy decision would be much more limiting. “I would say that a bespoke agreement or a treaty is preferable because that implies mutual recognition of each of our data protection frameworks,” she said. “It contains obligations on both sides, it would contain dispute mechanisms. If we look at an adequacy decision by the Commission that is a one-way decision judging the standard of UK law and the framework of UK law to be adequate according to the Commission and according to the Council. So an agreement would be preferable but it would have to be a standalone treaty or a standalone agreement that’s about data — and not integrate it into a trade agreement because of the fundamental rights element of data protection.”

Such a bespoke arrangement could also offer a route for the UK to negotiate and retain some role for her office within EU data protection regulation after Brexit.

Because as it stands, with the UK set to exit the EU next year — and even if an adequacy decision was secured — the ICO will lose its seat at the table at a time when EU privacy laws are setting the new global standard, thanks to GDPR.

“Unless a role for the ICO was negotiated through a bespoke agreement or a treaty there’s no way in law at present that we could participate in the one-stop shop [element of GDPR, which allows for EU DPAs to co-ordinate regulatory actions] — which would bring huge advantages to both sides and also to British businesses,” said Denham.

“At this time when the GDPR is in its infancy, participating in shaping and interpreting the law I think is really important. And the group of regulators that sit around the table at the EU are the most influential blocs of regulators — and if we’re outside of that group and we’re an observer we’re not going to have the kind of effect that we need to have with big tech companies. Because that’s all going to be decided by that group of regulators.”

“The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies, for regulating big tech. So we will be a less influential regulator, we will continue to regulate the law and protect UK citizens as we do now, but we won’t be at the leading edge of interpreting the GDPR — and we won’t be bringing British values to that table if we’re not at the table,” she added.

Hurley also made the point that if the ICO is not inside the GDPR one-stop shop mechanism then UK companies will have to choose another data protection agency within the EU to act as their lead regulator — describing this as “again another burden which we want to avoid”.

The panel was asked about opportunities for domestic divergence on elements of GDPR once the UK is outside the EU. But no one saw much advantage to be eked out outside a regulatory regime that is now responsible for the de facto global standard for data protection.

“GDPR is by no means perfect and there are a number of issues that we have with it. Having said that because GDPR has global reach it is now effectively being seen as we have to comply with this at an international level by a number of our largest members, who are rolling it out worldwide — not just Europe-wide — so the opportunities for divergence are quite limited,” said Derrington. “Particularly actually in areas like AI. AI requires massive amounts of data sets. So you can’t do that just from a UK only data-set of 60 million people if you took everyone. You need more data than that.

“If you were to use European data, which most of them would, then that will require you to comply with GDPR. So actually even if you could do things which would make it easier for some of the AI processes to happen by doing so you’d be closing off your access to the data-sets — and so most of the companies I’ve spoken to… see GDPR as that’s what we’re going to have to comply with. We’d much rather it be one rule… and to be able to maintain access to [EU] data-sets rather than just applying dual standards when they’re going to have to meet GDPR anyway.”

He also noted that about two-thirds of TechUK members are small and medium sized businesses, adding: “A small business working in AI still needs massive amounts of data.

“From a tech sector perspective, considering whether data protection sits in the public consciousness now, actually don’t see there being much opportunity to change GDPR. I don’t think that’s necessarily where the centre of gravity amongst the public is — if you look at the data protection bill, as it went through both houses, most of the amendments to the bill were to go further, to strengthen data protection. So actually we don’t necessarily see this is idea that we will significantly walk back GDPR. And bear in mind that any company which are doing any work with the EU would have to comply with GDPR anyway.”

The possibility for legal challenges to any future UK-EU data arrangement were also discussed during the hearing, with Denham saying that scrutiny of the UK’s surveillance regime once it is outside the EU is inevitable — though she suggested the government will be able to win over critics if it can fully articulate its oversight regime.

“Whether the UK proceeds with an adequacy assessment or whether we go down the road of looking at a bespoke agreement or a treaty we know, as we’ve seen with the Privacy Shield, that there will be scrutiny of our intelligence services and the collection, use and retention of data. So we can expect that,” she said, before arguing the UK has a “good story” to tell on that front — having recently reworked its domestic surveillance framework and included accepting the need to make amendments to the law following legal challenges.

“Accountability, transparency and oversight of our intelligence service needs to be explained and discussed to our [EU] colleagues but there is no doubt that it will come under scrutiny — and my office was part of the most recent assessment of the Privacy Shield. And looking at the US regime. So we’re well aware of the kind of questions that are going to be asked — including our arrangement with the Five Eyes, so we have to be ready for that,” she added.

Facebook warns GDPR could flatten or reduce European user count

Europe’s sweeping privacy law GDPR goes into effect May 25th, and Facebook is being forced to push users through new agreements to terms of service changes required to comply with the law. That’s why during today’s successful Q1 2018 earnings report call, Facebook CFO David Wehner warned that “we believe MAU or DAU might be flat or down in Q2 due to the GDPR rollout.” He also said that while Facebook doesn’t expect a significant impact on ads from GDPR, there may be a slight impact and it will be monitoring for that. Wehner notes that GDPR will impact the global online advertising industry so it may be hard to tell what the exact repercussions are for Facebook.

Wehner later clarified that’s “what we’re expecting given that you’re having to bring people through these consent flows, and we have been modeling it and expect there would be a flat to down impact on MAU and DAU.” Facebook went on to describe how if users change their ad privacy settings through the GDPR prompts to allow less targeting, ads could be less effective, so advertisers would pay less for them.

“Fundamentally we believe we can continue to build a great ads business” while continuing to protect people’s privacy, Wehner explained. He said what’s important is Facebook’s relative value to advertisers, which theoretically shouldn’t change since all ad platforms are impacted by GDPR.

Facebook unveiled its GDPR-related changes and how users will be asked to consent to them last week, and drew heavy criticism. Facebook employed “dark patterns” in the design of the consent flow, coercing users to agree to the changes without fully considering them. Meanwhile, it minimized the size and visual prominence of the buttons to revoke permissions from Facebook or reject the changes outright and terminate their account.

Facebook was likely trying to minimize the disruption to the user experience and thereby its user count with this shady design methodology. Just the fact that Wehner said Facebook has to “bring people through these consent flows” rather than describing them as giving user choice or anything about Facebook’s commitment to privacy shows that it views GDPR as merely a hurdle, not something users deserve for protection.

Read our full story on Facebook’s Q1 2018 earnings:

WhatsApp raises minimum age to 16 in Europe ahead of GDPR

Tech giants are busy updating their T&Cs ahead of the EU’s incoming data protection framework, GDPR. Which is why, for instance, Facebook-owned Instagram is suddenly offering a data download tool. You can thank European lawmakers for being able to take your data off that platform.

Facebook -owned WhatsApp is also making a pretty big change as a result of GDPR — noting in its FAQs that it’s raising the minimum age for users of the messaging platform to 16 across the “European Region“. This includes in both EU and non-EU countries (such as Switzerland), as well as the in-the-process-of-brexiting UK (which is set to leave the EU next year).

In the US, the minimum age for WhatsApp usage remains 13.

Where teens are concerned GDPR introduces a new provision concerning children’s personal data — setting a 16-year-old age limit on kids being able to consent to their data being processed — although it does allow some wiggle room for individual countries to write a lower age limit into their laws, setting a hard cap at 13-years-old.

WhatsApp isn’t bothering to try to vary the age gate depending on limits individual EU countries have set, though. Presumably to reduce the complexity of complying with the new rules.

But also likely because it’s confident WhatsApp-loving teens won’t have any trouble circumventing the new minimum age limit. And therefore that there’s no real risk to its business because teenagers will easily ignore the rules.

Certainly it’s unclear whether WhatsApp and its parent Facebook will do anything at all to enforce the age limit — beyond asking users to state they are at least 16 (and taking them at their word). So in practice, while on paper the 16-years-old minimum seems like a big deal, the change may do very little to protect teens from being data-mined by the ad giant.

We’ve asked WhatsApp whether it will cross-check users’ accounts with Facebook accounts and data holdings to try to verify a teen really is 16, for example, but nothing in its FAQ on the topic suggests it plans to carry out any active enforcement at all — instead it merely notes:

  • Creating an account with false information is a violation of our Terms
  • Registering an account on behalf of someone who is underage is also a violation of our Terms

Ergo, that does sound very much like a buck being passed. And it will likely be up to parents to try to actively enforce the limit — by reporting their own underage WhatApp-using kids to the company (which would then have to close the account). Clearly few parents would relish the prospect of doing that.

Yet Facebook does already share plenty of data between WhatsApp and its other companies for all sorts of self-serving, business-enhancing purposes — and even including, as it couches it, “to ensure safety and security”. So it’s hardly short of data to carry out some age checks of its own and proactively enforce the limit.

One curious difference is that Facebook’s approach to teen usage of WhatsApp is notably distinct to the one it’s taking with teens on its main social platform — also as it reworks the Facebook T&Cs ahead of GDPR.

Under the new terms there Facebook users between the ages of 13 and 15 will need to get parental permission to be targeted with ads or share sensitive info on Facebook.

But again, as my TC colleague Josh Constine pointed out, the parental consent system Facebook has concocted is laughably easy for teens to circumvent — merely requiring they select one of their Facebook friends or just enter an email address (which could literally be an alternative email address they themselves control). That entirely unverified entity is then asked to give ‘consent’ for their ‘child’ to share sensitive info. So, basically, a total joke.

As we’ve said before, Facebook’s approach to GDPR ‘compliance’ is at best described as ‘doing the minimum possible’. And data protection experts say legal challenges are inevitable.

Update: WhatsApp has now confirmed to us it is raising the minimum age to use its service from 13 to 16 across the EU in order to comply with GDPR. It also said that because it collects limited categories of information from its users it had to make a tradeoff between collecting more personal information or keeping it simple and raising the minimum age across the board in the region. Hence it’s taking a different approach here vs Facebook.

The company also told us that users in the region will be asked to confirm whether they are at least 16 years old when they are presented with its updated terms of service. But it will not start asking for a user’s date of birth.

Also in Europe Facebook has previously been forced via regulatory intervention to give up one portion of the data sharing between its platforms — specifically for ad targeting purposes. However its WhatsApp T&Cs also suggest it is confident it will find a way to circumvent that in future, as it writes it “will only do so when we reach an understanding with the Irish Data Protection Commissioner on a future mechanism to enable such use” — i.e. when, not if.

Last month it also signed an undertaking with the DPC on this related to GDPR compliance, so again appears to have some kind of regulatory-workaround ‘mechanism’ in the works.