As its co-founder and CEO prepares to testify later today before the United States House of Representatives in the wake of the Cambridge Analytica scandal, a reeling Facebook is being urged to adopt the GDPR globally.
In a letter to Mark Zuckerberg, members of the Transatlantic Consumer Dialogue, a coalition of US and EU consumer groups, wrote:
The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process. The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located.
The letter comes less than a week after Zuckerberg stated that he agreed “in spirit” with the GDPR but refused to commit to adopting it worldwide. “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he told Reuters, a statement that is unlikely to satisfy the growing number of critics of his company.
While it remains to be seen whether or not Facebook will eventually give in, the situation does raise an interesting questions: should companies adopt the GDPR as a global standard, applying it to users and customers they aren’t required to?
Here are four reasons why they should consider it.
GDPR compliance is no simple task
While many companies with the greatest exposure to GDPR risk are still ill-prepared for its impending implementation, as the risks come into focus and the inevitable initial enforcement actions demonstrate that they’re not merely theoretical, expect to see a scramble for compliance.
Unfortunately, complying with the GDPR is not exactly a straightforward process. Understanding what the rules are and figuring out what specific actions need to be taken to comply has proven to be quite an undertaking for many companies. Given that, companies should consider that if they’re going to make a substantial investment of time and money to comply, it might make a lot of sense to leverage that investment across all their operations.
Global application might be easier
For many companies, trying to treat individuals subject to the protections of the GDPR differently than individuals who aren’t might actually prove to be more difficult and costly than simply treating all individuals the same regardless of where they’re located.
Consider, for example, the fact that a US citizen who moves to an EU country would be covered by the GDPR. For many companies, detecting such a move and responding to it might prove more difficult than it would seem it should be.
Similar regulation is likely coming outside of the EU
There’s a growing consensus that GDPR-like regulation will be adopted outside of Europe, including in the US. While it’s likely that there will be differences between regulations in different parts of the world, expect to see countries like the US look to the GDRP as a model when they get around to creating their own scheme.
This means companies that embrace the GDPR as a global standard will likely be better positioned to comply with similar regulations when and as they’re implemented.
The tide has turned on privacy
Perhaps the biggest reason companies should consider applying their GDPR compliance to their global operations is that it’s becoming increasingly evident that there is sea shift taking place vis-à-vis data collection, usage and protection.
The Cambridge Analytica scandal is no longer just about Cambridge Analytica. Instead, Facebook’s practices are being scrutinized in a way they never have been before and while it’s still too early to predict what exactly will happen, the actions Facebook has taken to date suggest that even it knows the largely unregulated data Gold Rush is fast coming to an end.
Put simply, in the post-GDPR world, data will have the potential to be a huge liability, not just an asset.
The implication for companies: it might be wise to accept this and proactively prepare for substantially more rules around how data is collected and used.
Note that this article represents the views of the author solely, and are not intended to constitute legal advice.