A Tough Task for Facebook: European-Type Privacy for All

Next month, a comprehensive new data protection law goes into effect in the European Union, placing greater requirements on how companies like Facebook and Google handle users’ personal information. It also strengthens individuals’ rights to control the collection and use of their data.

Last week, Mark Zuckerberg, Facebook’s chief executive, said his company would offer its users all over the world the same privacy controls required under the European law.

What would that look like for Facebook users? That is still a work in progress. A Facebook spokeswoman said the company would provide more details about its plans in the coming weeks.

In the meantime, here are some of the general requirements and rights under the new European law. Although some of the practical steps that companies must take are still being worked out, several European privacy and consumer advocates, who had pushed for the new law, offered their thoughts on what Facebook might need to do to extend the protections to its users worldwide.

The European law, called the General Data Protection Regulation, requires companies to collect and store only the minimum amount of user data needed to provide a specific, stated service. That means a flashlight app should not be asking users for access to their photos or contacts.

Anna Fielder, a senior policy adviser at Britain-based Privacy International, said she thought the new law would require the social network to change certain advertising and other settings to make privacy, and not sharing, the default. Currently, the company makes certain user profile details public by default. And the default advertising settings allow targeted ads based on a user’s relationship status, employer, job title, education and use of websites and apps.

Facebook currently has controls that allow users to choose who can see their posts. There is also a “privacy checkup” feature where users can adjust their sharing settings.

In a statement in response to questions, Rob Sherman, Facebook’s deputy chief privacy officer, said, “We need to do more to keep people informed and in control.” He noted that the company had recently introduced a new “privacy shortcuts” menu that centralized major privacy, security and ad settings. “These are just a few small steps and there’s more to come,” he said.

The European law requires companies like Facebook and Google to use clear and plain language to explain how they will use their users’ personal details. The companies must also provide information about what other kinds of entities users’ data will be shared with. Digital platforms must also obtain consent from individuals for many uses of their data.

When companies want to use individuals’ data for a new purpose, they must explain that new purpose and obtain users’ permission. And companies must get special permission from users to collect and use sensitive details like health information, unless that data is clearly related to the purpose of the service, such as a diabetes management app.

That means Facebook will probably need to rework its data policy and terms of service, said Finn Lutzow-Holm Myrstad, director of digital policy at the Norwegian Consumer Council, a nonprofit group in Oslo. He added that he thought the law would also require Facebook to give users more “real choices, not take it or leave.” The current data policy requires people who sign up for the social network to allow Facebook to, among other things, track them on many other apps and websites.

Sherman, Facebook’s deputy chief privacy officer, said that Facebook was updating its terms of service and data policy to ensure that it complied with the new European law. Those updates cover users worldwide, with legal variations in some places.

The European law gives individuals the right not to be subject to completely automated decisions which significantly affect them. These decisions could include credit algorithms that use an individual’s data to decide whether a bank should grant him or her a loan.

Privacy International said the clause on automated decisions could allow consumers to challenge Facebook practices like political advertising, which can be sent to users based on algorithms, because the ads are meant to sway users’ votes.

Facebook currently has a section called “Your Ad Preferences” that allows users to opt out of seeing ads based on their relationship status, employer, education, interests, and use of websites and apps. Users can also hide ads related to three topics — alcohol, pets and parenting — or suggest a topic they would rather not see ads about.

The European law gives people the right to obtain a copy of the records that companies hold about them.

Facebook already allows users to download a copy of their information — such as the messages they have sent on the service and the status updates they have posted.

At the end of March, the company announced new tools to let its users see and delete information such as their friend requests and their Facebook searches.

But if Facebook wants to offer European-level privacy protection to all, it would also need to provide its users with the data that Facebook itself collected or created about them, including any categories, descriptions or behavior scores Facebook assigned to them, European privacy experts said. And it should provide users who seek their own records with any data that Facebook has obtained from tracking them around the web as well as any data that Facebook obtained about them from third parties, like data brokers, they said.

“You exercise your access rights and you have the right to know everything about you,” said Giovanni Buttarelli, the European data protection supervisor who oversees an independent European Union authority that advises on privacy-related laws and policies.