As its co-founder and CEO prepares to testify later today before the United States House of Representatives in the wake of the Cambridge Analytica scandal, a reeling Facebook is being urged to adopt the GDPR globally.

In a letter to Mark Zuckerberg, members of the Transatlantic Consumer Dialogue, a coalition of US and EU consumer groups, wrote:

The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process. The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located.

The letter comes less than a week after Zuckerberg stated that he agreed “in spirit” with the GDPR but refused to commit to adopting it worldwide. “We're still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he told Reuters, a statement that is unlikely to satisfy the growing number of critics of his company.

While it remains to be seen whether or not Facebook will eventually give in, the situation does raise an interesting questions: should companies adopt the GDPR as a global standard, applying it to users and customers they aren't required to?

gdpr course

Here are four reasons why they should consider it.

GDPR compliance is no simple task

While many companies with the greatest exposure to GDPR risk are still ill-prepared for its impending implementation, as the risks come into focus and the inevitable initial enforcement actions demonstrate that they're not merely theoretical, expect to see a scramble for compliance. 

Unfortunately, complying with the GDPR is not exactly a straightforward process. Understanding what the rules are and figuring out what specific actions need to be taken to comply has proven to be quite an undertaking for many companies. Given that, companies should consider that if they're going to make a substantial investment of time and money to comply, it might make a lot of sense to leverage that investment across all their operations. 

Global application might be easier

For many companies, trying to treat individuals subject to the protections of the GDPR differently than individuals who aren't might actually prove to be more difficult and costly than simply treating all individuals the same regardless of where they're located. 

Consider, for example, the fact that a US citizen who moves to an EU country would be covered by the GDPR. For many companies, detecting such a move and responding to it might prove more difficult than it would seem it should be.

Similar regulation is likely coming outside of the EU

There's a growing consensus that GDPR-like regulation will be adopted outside of Europe, including in the US. While it's likely that there will be differences between regulations in different parts of the world, expect to see countries like the US look to the GDRP as a model when they get around to creating their own scheme.

This means companies that embrace the GDPR as a global standard will likely be better positioned to comply with similar regulations when and as they're implemented.

The tide has turned on privacy

Perhaps the biggest reason companies should consider applying their GDPR compliance to their global operations is that it's becoming increasingly evident that there is sea shift taking place vis-à-vis data collection, usage and protection.

The Cambridge Analytica scandal is no longer just about Cambridge Analytica. Instead, Facebook's practices are being scrutinized in a way they never have been before and while it's still too early to predict what exactly will happen, the actions Facebook has taken to date suggest that even it knows the largely unregulated data Gold Rush is fast coming to an end. 

Put simply, in the post-GDPR world, data will have the potential to be a huge liability, not just an asset.

The implication for companies: it might be wise to accept this and proactively prepare for substantially more rules around how data is collected and used.


Note that this article represents the views of the author solely, and are not intended to constitute legal advice.

Patricio Robles

Published 10 April, 2018 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2647 more posts from this author

You might be interested in

Comments (1)

Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

I agree: given the mess that facebook is currently in, it has little choice but to provide enhanced data protection across the globe and it may as well align this with the GDPR and Zuckerberg seems to be close to agreeing this.

“Overall I think regulations like this are very positive” Zuckerberg said on a conference call with reporters today. “We intend to make all the same controls available everywhere, not just in Europe.... Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places. But let me repeat this, we’re going to make all the same controls and settings available everywhere, not just in Europe.”

Going forward, one area where facebook will have legal problems is that it is trying to act as data processor in situations where it is in reality the data controller. This matters because the data controller is the one responsible for informing data subjects and getting consent where necessary.


"Custom Audiences When we match your CRM data to our user database and create a Custom Audience for your advertising campaigns, we are the data processor."

"Advertiser Terms Where Facebook provides services to our EU partners as a data processor on their behalf, we'll ensure that we comply with the specific requirements for data processors".

The issue here is that the brand using facebook for marketing in these cases may have literally ZERO contact with some of the data subjects. For example where they are using a custom audience to seed a lookalike audience, or where they are targeting adverts based on facebook user details. Facebook knows this - that brands are unable to act as data controller whatever the contract says - and so this role defacto falls on facebook.

4 months ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.