Damage Control - Facebook Pulls Out of GDPR Range
On April 19, Facebook announces that it plans to store all non-EU international user data in the United States instead of Ireland. This impacts approximately 1.5 billion users located outside the EU and for those users makes Facebook not subject to the General Data Protection Regulation (GDPR) that take effect in a few weeks on May 25.
Under the new GDPR, regulators in Europe would be able to fine companies that collect personal data of their users without their explicit permission. The GDPR also gives European users the right to know what data is collected on them and the right to have the company delete that data. Fines for non-compliance are up to 4% of global annual revenue which could be a huge financial penalty for a company like Facebook. Given its current situation and exposure, this was probably the right business decision.
In contrast, Apple has stated that they will give American users the same privacy rights afforded to European users under the GDPR.
Judging by recent events, the bills being introduced very soon in Congress regarding user data privacy regulations in the United States will change the privacy landscape to look more like the Europe Union. It will be interesting to see what specific regulations and penalties we end up with in the United States. This is something all companies collecting data from users located in the U.S. should be concerned about. We suggest these companies consider a privacy audit to start looking at their current contract language and protocols so that any gaps against new regulations can be addressed. The last thing a tech company wants is exposure to high dollar fines and lawsuits.