Skip to Content

How does Facebook handle GDPR?

By: Author David Adams

0 Comments
How does Facebook handle GDPR?

The General Data Protection Regulation (GDPR) is a regulation that went into effect in the European Union in May 2018. It aims to give individuals more control over their personal data and impose stricter rules on organizations that collect, store, and use personal data. As one of the biggest collectors of personal data, Facebook has had to make significant changes to comply with GDPR. Here is a quick overview of some of the key ways Facebook has adapted its data practices and policies to comply with GDPR:

  • Updated data policy and terms of service – Facebook updated its data policy and terms of service to be more clear and transparent about how it collects and processes personal data.
  • Easier access to personal data – Facebook made it easier for users to access, download, and delete their personal data.
  • New consent controls – Facebook implemented granular consent controls to get explicit opt-in consent from users before processing data for certain purposes like targeted advertising.
  • Better data breach notifications – Facebook updated its procedures to notify users and regulatory authorities within 72 hours in the event of a data breach.
  • Data Protection Officer – Facebook appointed a Data Protection Officer to ensure GDPR compliance across its products and services.

In the rest of this 5000+ word article, we’ll explore these changes and updates in more depth to understand how Facebook has adapted its systems and processes to comply with GDPR.

Updated Data Policy and Terms of Service

One of the first things Facebook did to comply with GDPR was update its data policy and terms of service. These legal documents explain Facebook’s data collection, processing, and sharing practices.

GDPR requires that privacy policies are written in clear, plain language that average users can understand. So Facebook revised its documents to provide more transparency around:

  • What kinds of personal data is collected
  • How the data is used
  • How long data is stored
  • Whether and how data may be shared with third parties

Some key updates Facebook made include:

  • More specifics around data collected from third party partners and Facebook Company Products (Instagram, WhatsApp, Oculus etc)
  • Details regarding how data from third party partners is combined with data users provide directly to Facebook for targeted advertising and measurement purposes
  • An explanation of how Facebook uses facial recognition technology and user-generated content for various products and features
  • Disclosures around how Facebook leverages user data to map out professional and social connections between people across its services

Facebook also clarified the legal basis upon which it processes different categories of user data. For example, executing the user agreement constitutes the legal basis for processing data necessary for core Facebook services. Obtaining additional consent establishes the legal basis for processing data for personalized ads or facial recognition.

Overall, Facebook’s updated data policy and terms of service aim to provide much more transparency to users about how their data is handled. The documents outline standard data uses that apply to all users as well as controls and settings users can adjust if they want to limit data collection and use.

Easier Access to Personal Data

In addition to transparency around data practices, GDPR also mandated that companies give individuals the right to access their personal data.

To comply with this, Facebook introduced tools that allow users to:

  • View and download a copy of the data Facebook holds about them
  • Search for specific types of data Facebook has collected
  • Configure data deletion

Users can access these tools through the Settings menu under “Your Facebook Information”. Let’s take a closer look at the data access options:

Downloading Your Information

This tool allows downloading an archive of the data associated with your Facebook account. This expansive archive contains:

  • Profile info and contacts
  • Ad interests
  • Posts and photos
  • Private messages
  • Group memberships
  • Event RSVPs
  • Last locations
  • Pages followed and searches
  • Access log and account history

The downloaded archive comes in HTML format, which makes it easy to open and navigate on any device. This gives users a comprehensive view of the information Facebook has saved related to their account.

Viewing Your Information

For users who don’t want to download their entire archive, this option provides an easy way to review profile information, posts, friends list, photos, videos, events, groups, and pages they follow.

Everything is presented in a user-friendly interface similar to how content appears on Facebook.com. Users can search for and filter specific data types too.

Searching Your Information

Here users can search across their Facebook account for certain terms, posts, people, places, groups, events, images, videos, and other content. Advanced filters enable searching within specific date ranges too.

This makes it easy to find any mention of a particular person, event, location, or other detail scattered across years of Facebook activity. The search results come back instantly with links directly to matching posts, photos and other content.

Managing and Deleting Your Information

For users that want to exercise more control over their data, this portal provides options like:

  • Choosing who can see posts you’re tagged in
  • Limiting profile visibility
  • Removing tags from posts and photos
  • Deleting posts
  • Closing your account

The most powerful tool is the ability to delete your Facebook account and associated data. This provides a complete erasure option as mandated by GDPR. Facebook commits to complete deletion within 90 days of request.

New Consent Controls

Along with access rights, GDPR also introduced rules around consent. Companies must obtain explicit opt-in consent from users before processing personal data for certain purposes like targeted advertising.

Silence, pre-checked boxes, or default settings are no longer sufficient to constitute consent. Companies must use clear affirmative actions like having users actively flip a toggle switch to indicate consent.

To address this, Facebook implemented granular controls that require opt-in consent for specific types of data usage. For example, users must flip an enable switch for Facebook to:

  • Recognize you in photos/videos
  • Use your precise location from your device
  • Collect audio to personalize ads
  • Show you ads based on your activity on other websites and apps

Each consent option is accompanied by a popup explaining what the setting does in plain language. This provides clear transparency for users to understand why Facebook is requesting permission and what data will be gathered.

Previously these options were enabled by default. The new consent procedure gives users more self-determination over how Facebook leverages their data. It also requires Facebook to explain how the data will bring value to the user, like showing more relevant ads.

Users can access these consent settings through “Settings & Privacy” => “Settings” => “Ads”. The controls enable tailoring ad preferences, opting out of certain data collection, or disabling targeted advertising completely.

Better Data Breach Notifications

GDPR enactsed strict requirements around notifying users and regulatory bodies in case of a data breach.

Breaches must be reported to the supervisory authority within 72 hours of discovery. If the breach puts users at high risk, companies must inform them directly and without delay.

Facebook’s previous data breach notifications were criticized for being too slow and downplaying the severity. To address this, Facebook established new incident response protocols to:

  • Rapidly escalate potential breaches for assessment
  • Convene cross-functional incident response teams
  • Proactively inform regulators of suspected breaches that meet reporting criteria
  • Directly notify impacted users if risk level justifies it

Going further, Facebook trained customer service teams to effectively handle data breach inquiries and provide timely information. Internal teams conduct tabletop exercises to practice responding to hypothetical breach scenarios.

This shift towards greater transparency helps rebuild user trust and ensures Facebook upholds its GDPR obligations around breach notifications. It also gives users more awareness of risks so they can take actions like enabling two-factor authentication for stronger account security.

Data Protection Officer

As part of compliance requirements, companies must appoint a Data Protection Officer (DPO) to monitor internal compliance, advise on risk assessments, conduct audits, and be the point of contact for supervisory authorities.

Given its massive data operations, Facebook needed a senior executive fully dedicated to the DPO role. So in early 2018, Facebook appointed Steve Satterfield as its first Privacy and Public Policy Director and designated him as DPO.

Satterfield spent over a decade at Yahoo and Apple managing privacy legal compliance in global roles. His appointment to this critical DPO role signaled Facebook’s commitment to GDPR adherence from the top-down.

As DPO, Satterfield oversees how products and operations handle personal data across Facebook’s family of services and companies. He reports directly to Facebook’s Chief Privacy Officer Erin Egan and VP of Public Policy Joel Kaplan.

Satterfield chairs a cross-functional GDPR working group to coordinate implementation and assess risk areas. His high degree of autonomy and regular reporting to top executives empowers him to drive accountability and transparency around personal data use.

Many observers see Satterfield as instrumental to shifting Facebook’s privacy culture and upholding user rights. His leadership as DPO plays a critical role in making GDPR more than just a compliance exercise for Facebook.

Product Changes to Enable Compliance

In addition to policy and procedural changes, complying with GDPR required updates across many of Facebook’s products and services:

Facebook

– Revamped download tools for user data portability
– Clustering to anonymize data in downloadable user archives
– Updated facial recognition consent flows
– Ability to delete posts and history
– Off-Facebook activity tool gives transparency into websites/apps sending data

Messenger

– Removed ability to lookup users by phone number
– Increased data deletion frequency from 1 year to 3 months
– Removed ads based on inferred user attributes

Instagram

– Access and download photos, comments, profile info
– Removed Tap Home Photos feature
– Updated data retention and deletion policies

WhatsApp

– Delete account and associated data
– No longer retain IP addresses after account deleted
– Made data sharing with Facebook opt-in only

Oculus

– Access and delete data associated with account
– Allow merging overlapping Oculus and Facebook accounts
– Enable using Oculus device without Facebook account

These changes demonstrate how GDPR prompted improvements across Facebook’s entire ecosystem to put users in more control of their data.

Ongoing GDPR Compliance Process

While Facebook made significant changes in the ramp up to GDPR, compliance is an ongoing process requiring continuous improvement.

Some ways Facebook maintains GDPR standards include:

  • Regular audits – Facebook conducts frequent audits to identify compliance gaps in products, operations and data processing.
  • PIAs and DSAs – New initiatives undergo Privacy Impact Assessments and Data Security Assessments to embed privacy considerations early in development.
  • CPO and DPO oversight – The Chief Privacy Officer and Data Protection Officer monitor compliance risks, trends and incidents.
  • Employee training – Employees undergo GDPR video courses and simulations to reinforce privacy mindset.
  • Information barriers – Access controls prevent unauthorized employees from accessing user data.

Facebook also publishes bi-annual transparency reports detailing:

  • Government data requests
  • Content restrictions based on local laws
  • Internet disruptions impacting Facebook services
  • National security data requests
  • User complaints and enforcement trends

This spirit of transparency will continue driving Facebook’s GDPR compliance journey, even as business needs evolve.

Challenges and Criticisms

While Facebook has arguably made great strides around GDPR, they still face challenges and criticisms:

Consent Fatigue

Despite more granular controls, many users suffer “consent fatigue” from the barrage of permission popups to enable various features and data uses. More transparency paradoxically becomes overwhelming at scale.

Evidence of Non-Compliance

Facebook has been criticized over evidence of non-compliance like millions of passwords stored in plain text and over 500 million user records exposed. These incidents raise doubts about how effectively GDPR protections are implemented.

Appointment of CPO and DPO

Facebook appointed their Chief Privacy Officer and Data Protection Officer relatively late in 2017, with possibly inadequate resources and authority to drive reforms pre-GDPR.

Scope Limitations

Some privacy advocates argue Facebook purposefully excluded subsidiaries like WhatsApp from certain GDPR protections to limit scope. Stricter controls only apply to users in the EU, while Facebook has over 3 billion users worldwide that deserve protection.

Underfunded Regulators

GDPR allows massive fines up to 4% of global revenue, but understaffed European regulators struggle to enforce discipline at Facebook’s scale. Critics say fines must keep pace with size and severity of violations to create real deterrence.

One-Time Compliance

Facebook focused heavily on achieving compliance by May 2018. But critics argue the real test is continually evolving privacy practices as risks emerge across Facebook’s sprawling networks and algorithms.

While not perfect, Facebook’s GDPR journey demonstrates how regulation can prompt companies to strengthen privacy controls and make meaningful changes at large scale. Ongoing scrutiny, audits, and feedback will be key to ensure Facebook upholds user rights in practice, not just policies.

Conclusion

GDPR represented a seismic shift for data protection rights across Europe. As a preeminent collector and processor of personal data, Facebook had no choice but to transform its systems and operations to comply.

We reviewed the most important changes Facebook made to comply with GDPR:

  • Transparent data policy and terms of service
  • User data access, portability and deletion
  • Explicit consent controls
  • 72 hour breach notification
  • Appointment of a Data Protection Officer
  • Product changes to operationalize privacy
  • Ongoing audits, assessments, and reporting

Collectively, these updates give users far more transparency and control over how Facebook uses their personal information. Facebook still has work ahead to fully live up to GDPR’s standards and spirit of empowering individuals. But the fundamental reforms driven by GDPR make clear that meaningful, large-scale change is possible when user privacy is elevated as an urgent priority. As Facebook continues balancing innovation with privacy, GDPR will remain its guiding light.

Related posts:

  1. What Are Facebook Shortcuts?
  2. Is Facebook Shortcut Random
  3. Are facebook shortcut public
  4. Why Are There Always Shortcuts of Friends Showing Up Facebook App