Facebook’s Privacy Vision from a GDPR Perspective

On Wednesday, Mark Zuckerberg described a new ‘Privacy-Focused Vision’ for Facebook. The change feels a bit overdue, after Facebook’s privacy antipathy led to two consecutive quarters of declining users. In his blog post, Zuckerberg laid out the vision for a new ‘privacy-focused platform’:

We plan to build this the way we’ve developed WhatsApp: focus on the most fundamental and private use case — messaging — make it as secure as possible, and then build more ways for people to interact on top of that, including calls, video chats, groups, stories, businesses, payments, commerce, and ultimately a platform for many other kinds of private services.

By enabling ‘private’ services, Zuckerberg intends to give users privacy from other users and from Facebook itself. With secure communication as a foundation, his plan includes:

  • Encryption by implementing end-to-end encryption in all messaging applications.
  • Interoperability by integrating Messenger, WhatsApp, and Instagram so that users can communicate across applications and see notifications from each app in one place.
  • Reducing permanence by adding expiration dates on stories and messages.
  • Secure data storage by housing sensitive data in data centers in countries with strong privacy laws.

An optimistic reader might applaud Zuckerberg for finally caring about his users’ privacy more than Facebook’s ad-based revenue model. Indeed, using WhatsApp’s end-to-end encryption across all messenger applications reduces the granularity of data that Facebook can gather, which in turn hurts Facebook’s ability to create hyper-targeted ads. But after being immersed in the world of General Data Protection Regulation (GDPR) compliance for three years, the bulk of his plan looks very similar to what his platforms have to do in the EU anyway.

To demonstrate, let’s look at his plan from a GDPR lens.

  • Encryption. The GDPR’s Article 32 requires encryption and confidentiality of data that would include direct communications on Messenger/Instagram/WhatsApp.
  • Reducing permanence. Recital 39 stipulates that time limits for data retention should be established so that data isn’t kept longer than necessary, and Article 17 of the GDPR gives people a right to erase their personal data, which implicitly requires lack of permanence.
  • Secure data storage. Chapter 5 of the GDPR imposes strict rules around transferring data to countries with looser privacy standards. If a government could easily collect personal data from companies without a warrant, the GDPR would give Facebook a hard time transferring data there, regardless of the contractual safeguards in place.

Interoperability facially looks a bit like the GDPR’s data portability requirement, which would allow individuals to move their personal data from one platform to another. Zuckerberg pitched interoperability as being consumer-oriented and security-enhancing. But Senator Richard Blumenthal and a vociferous Techcrunch article warn that it’s probably more likely to decrease competition in the space instead. Integrating Instagram, WhatsApp, and Facebook increases the individual convenience of each application. It paves the way to entice people back onto Facebook after leaving it for WhatsApp. It also serves as an implicit marketing push to get younger generations who only use Instagram onto the other apps. We can see this ulterior motive in Zuckerberg’s desire to integrate safe and easy payment functions in those applications. In the end, interoperability only functions within the walled garden of Zuckerberg’s conglomerate, which could decrease competition.

With this in mind, touting privacy protections seems like a preemptive push against future antitrust claims once Facebook/WhatsApp/Instagram corner the market. One of the founding guidelines of American antitrust and European competition law is the concept of consumer welfare. If Zuckerberg can pitch his mini-merger in the lens of increasing consumer welfare (by helping privacy and ease of use across apps), then trust-busters may have a harder time making a winning case against him.

To be sure, we shouldn’t downplay the fact that Zuckerberg’s reorientation towards privacy is a positive step towards ethical data management for Facebook. But the regulatory and social drivers make me hesitant to call it proactive, or even beyond what Facebook is already obliged to do. So before we start reactivating our Facebook accounts, it might be wise to wait and see whether and how Facebook delivers on its promise to be privacy-protective.