Mark Zuckerberg’s personal notes hint that Facebook isn’t ready for GDPR

  • A photograph showing Facebook CEO Mark Zuckerberg’s private notes show how thoroughly he was briefed ahead of his grilling by Congress in Washington, DC, on Tuesday.
  • One section that stood out was a clear instruction: “Don’t say we already do what GDPR requires.”
  • This refers to a new European privacy law that will force Facebook to give users much more control over what data they share.
  • The notes suggest Facebook isn’t fully ready for GDPR, which comes into effect on May 25.

Mark Zuckerberg had an awful lot to remember during his grilling by Congress on Tuesday, judging by pages of private briefing notes captured by a quick-witted AP photographer.

The pages give us an insight into how Zuckerberg was thoroughly coached not only on predictable topics like Russian election interference, but wider areas such as the lack of diversity in Silicon Valley.

There’s one section right at the bottom of notes which will stand out to anyone interested in online privacy.

The note reads: “Don’t say we already do what GDPR requires.

GDPR is the upcoming General Data Protection Regulation, a new European law designed specifically to bring web giants like Facebook to heel over the way they suck up vast amounts of user data. The regulation comes into effect on May 25.

One of the most important changes under the regulation is that Facebook will have to proactively ask for your explicit consent to process data on your ethnicity, race, sexual orientation, political views, and religion.

The note suggests that Facebook hasn’t quite worked out how it will do this. According to Fox Rothschilds lawyer Mark McCreary, this won’t be some small pop-up box but something “disruptive” to your day-to-day browsing experience. To that end, Zuckerberg’s notes read: “GDPR does a few things … Requires consent – done a little bit, now doing more in Europe and around the world.”

The note also reads: “Provides control over data use – what we’ve done for a few years.”

That’s only true to an extent. You can determine what data you share with Facebook, but you can’t then control or really understand how Facebook uses that data unless you go digging around in your privacy settings. Under GDPR, Facebook and advertisers will need to be much clearer with you about what data they are using and why.

Facebook will soon need to let people download their data then take it to a rival service

Zuckerberg’s briefing notes makes absolutely no mention of data portability, another big, important requirement under GDPR. This essentially means that European users will be able to download their data from Facebook, then take it to a competing service.

As consultancy firm PwC puts it: “[Users] should be able to move between service providers without any loss of data and, therefore, enjoy a seamless transition that avoids the data subject having to re-input any information.”

It’s possible that Facebook hasn’t really worked out how it will do this – how exactly are you meant to transfer all your wall posts to another service? What would that look like and what format would the data take?

Facebook did not immediately respond to a request for comment.

GDPR could cost Facebook and Google a lot of money

Not only will GDPR potentially rewrite how users actually use Facebook, Google, and other big tech services, it could cost those companies an awful lot of money if they don’t comply with the rules and if users decide to revoke access to their data.

Companies face fines of up to 4% of their annual turnover if they break the rules.

And users opt out of sharing their data, that could wipe 2% of Google’s revenue, and cost Facebook $2.8 billion.

You can read more on Mark Zuckerberg’s Tuesday grilling here.