Greetings of the day!
I hope this mail finds you well: After the return from the slimy homage you received in Berlin and the news of today, that the German antitrust authorities initiate legal proceedings against your monster data kraken.
Just in case you missed it today: http://www.nytimes.com/2016/03/03/business/international/facebook-faces-german-antitrust-investigation.html
And between your activities to hunt animals for slaughting, taking care of your neonate and your relentless pondering how to give money for charity at best.
A fellow graduate of me, Max Schrems, punctured you for many years with the Austrian and European data protection law and it's queer provisions. That said I think you deserve to learn at your earliest convenience, that the Europeans recently have decided to harmonize data protection law :-)!
This gives frayed garage companies like yours a profound base and fresh legally valid platform to act. Isn't this good news and healing to your legally wounded and suffering soul?
The bad news however lies in the fact that the new regulation will take place not earlier than in 2018. Sorry for this time lag -- but anyhow: Lies greatest and true pleasure not always in joyful anticipation?
If you want, if you really WANT, you can spend your unbraked energy right now with a fervent embracement of the new laws of the game and prepare yourself as future hero of data protection on a global scale!
To support your upcoming enthusiasm which can lead to a new feeling of clarity and connectedness with all the people who trust you so much I felt so kind to put together a brief overview about your daily data protection agenda after 2018.
SIMPLY ENJOY, share my letter with your friends and colleagues -- and hopefully donate me a LIKE.
To begin with: From whom is protection needed?
Before I begin, let me explain you something of concern.
Europeans have a differing concept of DATA PROTECTION than guys like you in the US. Data protection in Europe does not mean respectively not only mean to protect the data in your hosting center against unauthorized access from hackers or terrorists (while abusing and exploiting the data yourself uninhibited).
No! Data protection in Europe means instead that your customers are protected against YOUR OWN misusage of their data. I know, given your human attitude and your good willingness to spread facebook all over our globe, even in India, this might sound really strange and paranoid to you.
But, to paraphrase a well known saying, trust to your enhanced address book operator is good -- but REAL PRIVACY is better. And, believe me, Europeans have very good historic grown roots to insist on this and their attitude is much closer by valuing human honor and appreciation and thus in the end the much more human and modern approach than that of the US.
So enough beating around the bush -- let us enjoy the details!
1. European General Data Protection Regulation: One continent -- one law
Do you really like Ireland from the bottom of your heart?
There were vile rumours that you based your office in Ireland only due to the fact that data protection and tax laws there are the weakest in Europe. This statement might be true or simple a slur on your reputation.
Anyhow, now you can relax and have full trust that data protection regulation is VALID everywhere in Europe in it's unified beauty :-)! So you are FREE now, e.g. to move your garage boxes to Berlin, the city of your intimate dreams and enjoy from 2018 on the sme high upcoming data regulation standards like in Dublin!
However, one restriction strikes: Each country can decide about the minimal age to join your wonderful system. That said it seems you have to get aware of each European country individually and let your coders implement this additional differentiation as European extravaganza.
Maybe you take the bull by the horns and travel around a little bit to learn more about the different countries in Europe and about all the people here who use your system? And settle down where you enjoy to be … at least you are for sure old enough to use facebook in each country within the EU :-).
And if you behave with humility and respect global standards like data neutrality you might even find more acceptance than in India recently :-).
2. Right to forget
If a user wants to outlaw himself for whatever insane reasons, there is no need that his or her leprously profile spoils your precious database anymore: He or she can ask you to DELETE the dataset.
If I say DELETE here, I mean DELETE in it's true legal and technical sense, I mean, to set a flag with the name "delete", as you did in Max's case, WON'T be sufficient.
This means you have to let your coders add new functions to your database, so that the system not breaks down when you do this, in programmer's slang: To maintain referential integrity. So that your global padded room adjusts to this relieved new harmony provided by your most servile bondsmen only.
PS: And do not forget to inform your business partners you had eventually handed over the data previously: They are obliged to delete, too.
[Reference: Art 17 GDPR]
3. Data portability
But hold on, your coders should also add some code to extract the dataset of a specific user, so that she can move to another market participant easily. This is because a user can now pick up her data and move to another social network.
ROTFL because there is no other market participant? Ok, consider Twitter, Reddit, Google+ or even Diaspora or Friendica; I know -- all of them are much below your collar size, but see this as chance to advance in the formerly unkown category "Facebook transparency" and set new standards in the market domain.
Maybe you right invent "Zuckerberg's Exchange Format for Social Networking ("ZEXFSON") and think of indignant Google or Reddit Coders who have to write an import plugin for that format ...
And notice: Do not use a binary format, the dataset shold also be of a kind so that it is transparent and readable. E.g. Recommend your coders to use some kind of semantic XML or JSON.
[Reference: Art 18 GDPR]
4. Consent for data processing
In the future you never will have nagging dismal thoughts and wonder, if all your bondsmen are truly committed to your panoptikum. The reason is that you have to ask them for consent BEFORE you process their personal data.
You have to get their EXPLICIT consent for EACH SPECIFIC DATA PROCESSING GOAL you have! In case your mind is wandering around -- stay firm: You are also not allowed to pretick boxes or assume further consent given a previous agreement.
This clarity of consent will create full dedication and unknown sense to your long working days, knowing in each second that your user are complacent with you and your services!
And be aware: Withdrawal of the consent is possible at any time!
But relax, in case they deny, you can still anonymize the data and introduce new services without illegally utilizing personal data.
[Reference: Art 4 GDPR]
5. Privacy by Design & Privacy by Default
You are only allowed to ask for personal data if you really need it to provide a specific service (Privacy by design).
So, what does facebook really need to provide it's service? That might be much less than you ask for now. So enjoy the new freedom of lean and stripped down facebook databases, which held all the unnecessary personal information about your bondsmen up to now.
In case you aggregate data and build profiles there are severe rules how to minimize risk. "Risk" you might ask? The risk is to misuse the information you have piled up, because information is … power; power that YOU might misuse.
To avoid this you have at first make a description about what you want to collect and process. You have to make a "Data Protection Impact Analysis" and involve external experts to assess this. In case you fail the authorities might simply close down your data greedy boutique, until you have adjusted this.
Just in case you meet Larry Page by chance, please drop him this notice:
Technical and organizational arrangements have newly to be established on a precautionary bases in order to comply with data protection regulations. E.g. you cannot go for a drive in the early future with the Google street view sucker car and clarify the legal issues afterwards, if at all. You have to check this in advance!
[Reference: Art 23 GDPR, Art 33 GDPR]
In case you do not fully embrace these regulations you will have to pull out your wallet: The upper limit of fines is 20 Mio EUR or 4 per cent of the yearly revenue.
4 per cent of nearly 18 billions USD revenue in 2015 equal 720 millions USD resp. 640 millions EUR.
And consumer associations can now file a suit for sure, s.th. Mr. Schrems had to claim a lawsuit for painstakingly.
[Reference: Art 79 GDPR]
7. Radical crime powered by facebook: What is still missing?
The reported hate spin effects of facebook which function as resonance chambers for stupid hate speech stays untouched by this new regulation. It's your turn to change your algorithm's to air these dark chambers in your house.
Also memorize the young people which have suffered because of mobbing powered by facebook. You owe them s.th. for sure.
8. An easy start
You can easily start to think into the right direction by simply adjusting your data consent form on your webpage: At the time of this writing the data consent form still references to the outdated safe harbor contract.
A globally active multi billion company with nearly 13.000 employees is not able to adjust that entry accordingly while working eagerly while each startup in Europe is forced with rigidity to do so?
Mark, please take yourself more serious!