Written with Paul McKay, Senior Analyst at Forrester

After Mark Zuckerberg’s hearing in front of the US Congress last week, Facebook announced some changes to its terms of use and privacy policy. Facebook introduced the changes to enable users to manage their data privacy more easily.  It is also a first step to comply with the new General Data Protection Regulation (GDPR). What Facebook’s announcement didn’t say is that they also decided to relocate Facebook’s international headquarter from Ireland (where it was established in 2008) to the US. In doing so, Facebook restricted the applicability of the upcoming GDPR only to those users that reside in Europe. Users located outside Europe (about 1.5 billion users) until now have enjoyed protection in accordance with the European Data Protection Directive. Going forward, their data privacy will be regulated by US data protection rules instead of the more stringent European standards. Didn’t Zuckerberg say, in front of the US Congress, that “everyone in the world deserves good privacy protections” commenting on GDPR? He did in words, but in practice Facebook relegates users’ privacy in the space of mere compliance to limit its risk exposure over GDPR violation and consumer’s demand over their privacy rights.

This is just more evidence of a worryingly short-sighted strategy, because:

  • Customers increasingly demand that companies respect their privacy rights everywhere. Our global research into consumer privacy attitude and behavior shows clearly that consumers are becoming increasingly knowledgeable about the “data economy” and demand protection for their data privacy. And, it’s not just what they say! Many use technology to protect their privacy online, such as “do not track” plug-ins, read privacy policies, and have declined to complete an online transaction when they have privacy concerns.
  • Privacy regulations around the world are progressively pushing toward GDPR standards. As part of Forrester’s Privacy Heat Map, we analyse the data protection rules over 55 countries. Our research highlights the evolution of rules globally to reflect GDPR-like standards. Privacy regulation in Argentina and Japan are just the latest examples of this trend. And, it’s not surprising that the data protection regulator of New Zealand is investigating Facebook over alleged violation of local privacy rules.
  • Forward-looking companies are making privacy part of their business strategy. In my work on GDPR compliance strategies, I have seen interesting examples of companies that have decided to embed GDPR standards into their global privacy programs, recognizing that users, everywhere, should retain control over their data. Other companies embraced privacy as a corporate social responsibility (CSR), because they recognize privacy as a core value of their business, rather than a mere compliance requirement. These companies have set them up to leverage privacy to differentiate their position in the marketplace and establish a competitive advantage.
  • Meaningful compliance with GDPR deliver business benefits. Many companies that have started implementing holistic and meaningful GDPR compliance programs reported experiencing several business benefits beyond meeting compliance requirements. These include improvement in their data strategies and more efficiency in the management of security and privacy policy. Most often, they stated improvement in the customer experience. Companies that think about GDPR as a compliance checklist and hope to achieve minimum compliance at the possible minimum cost will struggle.
  • Enhanced privacy can improve the customer experience. When organizations design privacy policies that promote transparency, contain simple information that allow users to understand how the company is planning to use their data, for which purpose, and with whom it will share, it can improve the customer experience. The updated version of Facebook’s privacy policy just runs in the opposite direction. Similarly, the email notification sent to European users requesting them to agree to new terms of service by May 25 or lose their access to Facebook further demonstrates that Facebook is missing out on the opportunity to fix the already broken relationship with many of its customers.

The choice that Facebook has made to recognize stronger privacy rights only to users that reside within the EU is openly in conflict with the commitment that Facebook’s CEO has declared just a few days ago in front of all Facebook users. This in effect makes the 1.5 billion users second-class citizens on the network with regards to their privacy rights.  To limit the detrimental effect related to the Cambridge Analytica scandal, Facebook is transforming a data privacy breach (which authorities are investigating) into a breach of ethics and trust. As my colleague Renee Murphy says, every CEO, CISO, risk officer, and chief privacy officer must remember that your customers might forgive you for a security breach, but they will punish you for a breach of trust.