Already, one of the major new battles is becoming clear. Facebook has accepted the GDPR but has deliberately interpreted it in a minimalist way. Privacy activist Max Schrems and his new organization NOYB (None of Your Business) have used the GDPR to launch four major court cases against Facebook and its subsidiaries. If Schrems’s interpretation prevails, Facebook’s business model will be fundamentally challenged.
Facebook has accepted GDPR … but only up to a point.
Over the past several months, Facebook has gotten a lot of terrible publicity. Russian “influence operations” may or may not have had much influence, but they were able to make liberal use of Facebook to circulate memes and try to widen divisions in the U.S. public. Cambridge Analytica used Facebook data to target millions of American voters. Facebook chief executive Mark Zuckerberg has embarked on a publicity tour to try to stanch the blood loss. One of his major talking points has been that Facebook takes privacy seriously — and is demonstrating its seriousness by adhering to the European Union’s GDPR. Zuckerberg has even talked of extending GDPR protections to customers in the United States.
However, Facebook’s commitment to GDPR is more limited than some of its public statements suggest. Facebook is going to apply only some GDPR protections worldwide. It has also changed its terms of service for 1.5 billion customers outside Europe and the United States, who used to have a relationship with Facebook’s European headquarters in Dublin, presumably to make sure that the GDPR does not apply to them. Finally, it has interpreted GDPR in a way that critics describe as minimalist, for example requiring customers to consent to Facebook’s data collection practices if they are to use Facebook at all.
This has given its critics a target.
As soon as the GDPR went into effect, Schrems brought four cases under its new provisions. Three of these actions have been taken against Facebook and Facebook subsidiaries, and one has been taken against Google Android. Schrems is an Austrian activist who has been a thorn in Facebook’s side for a long time. He started by using E.U. privacy law to demand that Facebook provide the information that it held on him. He then went on to make a case against Facebook’s use of an E.U.-U.S. privacy agreement, the Safe Harbor, which resulted in the European Court of Justice taking down the entire agreement (we discuss how this happened in our forthcoming 2019 book with Princeton University Press). Schrems already has another case against Facebook that threatens to invalidate the successor agreement to Safe Harbor, as well as another means that Facebook and other companies have used to try to transport data across the Atlantic.
Schrems is arguing that Facebook cannot require European users to consent to Facebook’s data practices as a condition of doing business with Facebook. The data that Facebook collects isn’t necessarily being used to provide services to customers. Instead, data is being used to provide services to advertisers — allowing Facebook to connect customers with particular characteristics and belonging to particular demographics to people who want to advertise specific goods and services.
Schrems’s case is a dagger aimed at the heart of Facebook’s business model.
If Schrems’s case succeeds, Facebook’s business model is in serious trouble. Facebook runs what economists call a “two-sided market.” Facebook users are not Facebook customers — they are Facebook’s product. They are served up to the real customers — the advertisers who use Facebook — in precisely calculated slices. If, to take a hypothetical example, you want to advertise to men who are interested in guns and have strong conservative beliefs in the Birmingham, Ala., metropolitan region, Facebook can probably help ensure that your ads appear on their feeds.
Schrems’s case looks to drive a wedge between the services that Facebook provides to its users and the services that it provides to its real customers. He is arguing that the data that Facebook collects is often not relevant to providing the services from which Facebook users benefit, and hence they should not be required to sign up to these services. Facebook has always maintained that the services it provides to its users, and the services that it provides to its advertising customers, are inseparable. If Schrems succeeds in convincing regulators and courts that the two need to be separated, then Facebook and other e-commerce companies face an extraordinarily difficult choice. Either they abandon Europe or they radically change their business model.
GDPR is only the start of the story.
What this tells us is that the introduction of new rules is not the end of the story but is usually its beginning (again, we develop this argument at much greater length in our forthcoming book on privacy battles). Ambiguities in rules lead to battles between political actors about how those ambiguities should be interpreted. Facebook has tried to interpret the ambiguities in one way. Now it is facing an existential challenge from Schrems, who is interpreting the new rules very differently and taking full advantage of their possibilities. If Facebook wants to avoid radical change, it is going to have to convince privacy regulators (many of whom are already skeptical about Facebook) and European courts (which have been quite activist on privacy issues over the past several years) that its minimalist interpretation of the GDPR is acceptable.
Henry Farrell is professor of international affairs and political science at George Washington University
Abraham Newman is professor of international affairs at Georgetown University.