Facebook removes 1.5 billion users from protection of EU privacy law

Enlarge / Mark Zuckerberg in 2017.

Facebook has quietly altered its terms of service, making stricter Irish data protection laws no longer binding on the vast majority of its users. The revision was first reported Wednesday by Reuters.

Now, Facebook’s headquarters in California will be responsible for processing any relevant legal claims, and American law will be binding for those outside the EU.

Previously, CEO Mark Zuckerberg had said Facebook would implement new EU rules “everywhere.” While Facebook may claim that it is offering EU-style control globally, removing this provision in its own terms of service suggests that the company is trying to mitigate its potential legal liability.

“We want to be clear that there is nothing different about the controls and protections we offer around the world,” the company wrote in a public blog post on Tuesday. However, this doesn’t appear to apply to the specific legal terms, but it is limited, instead, to the features in Facebook itself.

Prior to the change, Facebook users not only in the European Union, but worldwide—outside of the United States and Canada—were subject to Irish laws as they had signed a contract with Facebook Ireland Limited.

Irish data laws will now only apply strictly to EU users. By eliminating the link to Irish data-protection law, Facebook is removing 1.5 billion users from the EU’s new General Data Protection Regulation, which goes into effect next month.

The United States, for example, does not enshrine an affirmative right of individuals to access data held by private companies.

By comparison, according to the Irish Data Protection Commissioner: “Under Section 3 of the Data Protection Acts, you have a right to find out, free of charge, if a person (an individual or an organization) holds information about you. You also have a right to be given a description of the information and to be told the purpose(s) for holding your information.”

The EU’s official GDPR site notes several differences in the new law, including, notably: “people have more control over their personal data.”

Among other changes in EU law, violations of the GDPR also provide stiff penalties for breaches of European rules: up to four percent of worldwide revenue, or €20 million, whichever is higher for large companies like Facebook.

Facebook Ireland Limited in Dublin is believed to have been created largely for tax minimization reasons.

“If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited,” the terms had previously stated.

Now, the relevant language has been changed to: “These Terms (formerly known as the Statement of Rights and Responsibilities) make up the entire agreement between you and Facebook, Inc. regarding your use of our Products. They supersede any prior agreements.”

Facebook, which declined to respond to Ars’ questions on the record, said that the change had been made in the name of the companies’ business interests. The company declined to elaborate further.

https://arstechnica.com/?p=1296577