LONDON — When Facebook chief executive Mark Zuckerberg told U.S. lawmakers last week that he would extend Europes strict new privacy rules to the companys 2.2 billion users around the world, many took his word at face value.
It turns out, they should have read the fine print.
Despite Zuckerbergs pledge, almost all of the privacy standards included in Europes overhaul, known as the General Data Protection Regulation, or GDPR, will remain off-limits to Facebook users outside the 28-member bloc, according to legal experts and company insiders.
A big reason why: Facebook has altered its legal language so that people from across Asia, Latin America and Africa would no longer fall under the jurisdiction of Irelands privacy watchdog.
That means non-EU users will no longer be able to appeal to European data protection authorities to uphold EU rules, including the “right to be forgotten,” which will force companies like Facebook to delete peoples online information under certain circumstances — and which are likely to conflict with the right to freedom of speech, most notably in the United States.
Europes upcoming privacy standards represent the largest global overhaul of data protection rights in the last 30 years.
Another is Europes upcoming demand that businesses inform regulators within three days if peoples data has been hacked. Such rules are unlikely to apply outside of the European Union, where other countries own privacy rules put far less onerous demands on companies to come clean when digital information is stolen.
Similarly the right to turn to European data protection agencies to enforce the Continents upcoming privacy standards, which come into force on May 25, will not extend to those outside of Europe, who make up the vast majority of the social networking giants 2.2 billion users.
“It appears Facebook wants to create a version of GDPR that meets its own requirements,” said Simon McGarr, director of Dublin-based Data Compliance Europe, a consultancy that advises companies about how to abide by Europes privacy rules. “That is not how Europes privacy rights work.”
Facebook said Zuckerberg only outlined that the new privacy controls under GDPR, and not the other regulatory requirements, would be applied to Facebooks global network.
Facebook CEO Mark Zuckerberg prepares to testify before the House energy and commerce committee | Chip Somodevilla/Getty Images
“Were committed to rolling out the controls and the affirmative consent and the special controls around sensitive types of technology, like face recognition, that are required in GDPR,” Zuckerberg told the U.S. Senates commerce and judiciary committees on April 10; his notes included the reminder to tell U.S. lawmakers that “Dont say we already do what GDPR requires.”
“Were doing that around the world,” Facebooks chief added.
The company spent more than two years, with a team of hundreds of lawyers, coders and designers, creating new tools for its users that would allow them to understand how their data is used. Many of these upgrades have started to be rolled out worldwide.
EU vs. global rights: What takes precedent?
Europes upcoming privacy standards represent the largest global overhaul of data protection rights in the last 30 years. They have led many non-EU countries, notably Canada, Argentina and Japan, to revamp their own domestic legislation to fall in line with the EU rules.
As part of the revamp, any company with European customers — ranging from multinationals like Google and General Electric to small businesses and tech startups — must comply with the EU data protection rules or face fines of up to €20 million or 4 percent of its global revenue, whichever is higher.
But, importantly, these legal prescriptions will apply only to corporate activities within the Continent, meaning that non-EU companies are not obliged to extend the same protections to their customers outside of the bloc.
Some European-mandated privacy requirements also will remain out of reach for Facebooks global users.
Legal experts say many businesses are voluntarily making some of the same rights available to their global users, mostly because it is easier to comply with Europes globally reaching standard than to adopt country-by-country rules.
“Theres no doubt its having an extraterritorial impact,” said Eduardo Ustaran, co-director of the global privacy and cybersecurity practice at Hogan Lovells, in reference to Europes new privacy rules.
But the most onerous legal obligations, including hefty financial penalties for wrongdoing required under the GDPR, will be limited to Europe.
Questions also remain about how many of Europes privacy rules would be legally enforceable elsewhere, particularly in the U.S., where the countrys own privacy standards are more relaxed than those in the EU and where other rights — particularly freedom of speech guaranteed under the First Amendment — may run counter to European-style privacy rules.
Europes beefed-up “right to be forgotten” rule is a case in point.
Facebooks headquarters at Rathbone Place in central London | Daniel Leal-Olivas/AFP via Getty Images
Expanding on a 2014 legal ruling against Google by Europes highest court, the new provisions allow Europeans to demand that companies tell them everything they know about them and require businesses to delete all of that information.
That right may run counter to freedom of expression principles outside of the EU. Thats particularly true if individuals with no connection to Europe begin to use these newfound standards to remove harmful, but legally required, information about themselves from the internet, such as references to criminal records or other legal documents.
Emily Sharpe, a privacy and public policy manager at Facebook, told POLITICO that the company always has given people the right to delete information, though questions have been raised whether the social network retains data on both its users and those who dont use the platform.
Facebooks privacy upgrade: GDPR in name only
Other European-mandated privacy requirements also will remain out of reach for Facebooks global users.
Under the EUs upcoming standards, companies must tell regulators within three days if peoples data has been hacked or face hefty fines. Yet in the U.S., a mixture of state-by-state privacy rules mean American companies will continue to have weeks, if not months, to make similar disclosures about their U.S. customers.
Facebooks most recent data scandal, which involved a third-party app allegedly collecting data on up to 87 million users without their consent, was not considered such a data breach. But when other high-profile companies like Uber and credit agency Equifax were hacked, they waited up to a year or longer to inform authorities that personal data had been compromised.
Senator Patrick Leahy questions Zuckerberg as he testifies on Capitol Hill | Alex Wong/Getty Images
In addition, non-EU Facebook users will soon not be able to rely on the Continents data protection agencies to uphold their rights.
Previously, all of the companys non-North American customers, or roughly 80 percent of its users, were overseen by the Irish regulator because Facebooks international headquarters was located in the low-tax country.
But under proposed changes, these non-EU users would now have a legal contract with Facebooks U.S. entity, meaning that they would fall under Americas privacy standards that are perceived by many privacy campaigners as not as rigorous compared to Europes upcoming privacy legislation.
The change would also ensure that only European citizens, and not the vast majority of the social networks customers, could turn to the Irish agency or other European watchdogs if they believed their privacy rights have been violated.
“We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live,” Stephen Deadman, Facebooks deputy chief global privacy officer, said in a statement in response to the privacy change, which was previously reported by Reuters. “These updates do not change that.”