The problem with Facebook’s new "privacy experiences"

Experts say Facebook’s GDPR privacy changes still leave big questions unanswered

By Nicole Karlis

Senior Writer

Published April 18, 2018 5:53PM (EDT)

 (Shutterstock)
(Shutterstock)

Facebook announced on Tuesday that it is launching new “privacy experiences,” in their words, as part of compliance with the EU’s General Data Protection Regulation (GDPR). While Facebook is only required to implement the GDPR-compliant privacy controls to Europeans, the social network said it will expand the new controls to users around the world, too. But many people who have been demanding answers on data and privacy from Facebook CEO Mark Zuckerberg recently remain unimpressed.

Companies, under the GDPR-compliant controls, will be penalized—as much as 4 percent of their annual revenue—if they collect or use personal information without a user’s consent. Facebook, in its announcement, said that the new privacy controls will not only comply with the law but will also “go beyond our obligations to build new and improved privacy experiences for everyone on Facebook.” The new rule goes into effect on May 25, 2018.

Specifically, it will ask users to review how Facebook uses data from partners and regarding how the information in their profiles are used. Users will be able to choose whether or not Facebook can use data from advertising partners to show users ads, and they will also be able to choose if they want information—like religious views, political views and relationship status— in their profiles to be shared with Facebook. In addition to these privacy controls, users will be asked to agree to the updated terms of service and data policy. Facebook has also updated its “activity log” on mobile to make it easier for users to view the information they’ve shared with Facebook. The announcement also mentioned updates to the face recognition technology.

But not all who have been demanding answers on data and privacy from Facebook CEO Mark Zuckerberg are gleaming in light of this announcement.

U.S. Representative Bobby L. Rush, D-Ill., told Salon via a statement that he’s “pleased” to see this latest initiative, but said there are still important questions that remain unanswered. “Specifically, their announcement noticeably has no information on when these protections will go online for users in the United States. Also, their announcement has no information on how users can ensure that Facebook is deleting whatever information it holds on them (as provided for in the GDPR’s Right to be Forgotten),” he told Salon in a statement. “It should be noted that in the recent Energy & Commerce hearing, Mr. Zuckerberg commented on Facebook’s collection of data for non-users for ‘security purposes.’ This announcement has no information on how these individuals, who do not have a Facebook account, can ensure their information is deleted and how they can opt out of Facebook’s data collection.”

As Rep. Rush explained, Facebook doesn’t expand in its announcement that it will “include more detail in response to questions about how our services work.

“Most importantly, Facebook continues to frustrate many by putting the onus on its users to opt-in to privacy controls instead of enabling them by default,” Rush said. “If that continues to be their operating standard, Mr. Zuckerberg’s statement that he’s ‘committed to getting it right’ is nothing more than lip service.”

Another significant question raised is how will these consent forms will be presented to users. In the Facebook announcement, the details around n the controls’ presentation remained ambiguous, with the exception of a screenshot.  Ben Kochman, Senior Reporter, Cybersecurity & Privacy at Law360 explained to Salon that in the GDPR requires consent to be presented to users using clear language, but another problem is that users still may not read the text.

"The European law is really about Europeans having a right to privacy, and a right to know what information a company is collecting on them and way to opt out of that and to know about that collection before it's collected," Ben Kochman,  Senior Reporter, Cybersecurity & Privacy at Law360 explained to Salon. "But there is still this larger issue that the GDPR notices have to be in clear language and can't be at the bottom of a big chunk of text, but it still remains to be seen if people will read that."

Joel Wallenstrom, CEO of Wickr agreed that the announcement is a step in the right direction, but said there is growing need for an alternative technology to build more private spaces on the internet.

“This is definitely a critical first step taken by Facebook to restore its standing with users both in the US and Europe,” Wallenstrom told Salon. “As is the case with any contract, it is necessary to re-negotiate terms when it fails to serve customer interests or is out of date. However, we need to see innovation among technology teams and a move to build “private by design” spaces, offering an alternative to tech that’s engineered to collect and monetize user data and attention.”

While the announcement is positioned as a result of the GDPR law, Facebook indeed has ulterior motives to roll out new privacy control settings—such as gaining back the public’s trust since the Cambridge Analytica scandal. When asked if this is merely public relations protocol, branding expert Ian Wishingrad told Salon that it’s not just PR, but it’s not the best solution either.

“It’s a step in the right direction," he said. "Anything they do to exhume the legalese from the dark bowels of their basement into the cold light of day helps. It’s not just PR, but it’s not hitting CTRL+Z either."


By Nicole Karlis

Nicole Karlis is a senior writer at Salon, specializing in health and science. Tweet her @nicolekarlis.

MORE FROM Nicole Karlis