Facebook is moving 1.5 billion users away from protection just before the law becomes a reality in May 2018. GDPR, the General Data Protection Regulation, restricts what companies can do with people’s online data. If the GDPR went into effect right now, almost 1.9 billion Facebook users around the world would be protected by it. But soon that won’t be the case.
Currently, Facebook members outside the United States and Canada are governed by a terms of service agreement with the company’s international headquarters in Ireland. Because Ireland is a member of the European Union, GDPR applies to the Irish unit and all its users, even if they are not EU residents.
By transferring all non-European from Facebook in Ireland to Facebook in the US, those Facebook members in Asia, Africa, the Mideast, and Latin America lose GDPR protection. With this change, only Facebook users are European residents are protected by GDPR.
That shift will let Facebook data-mine its non-European users more thoroughly than it could if it kept the Irish unit as the legal entity those users contracted with.
Although the public cloud providers are not a social network, you can expect similar legal shenanigans to remove non-European users from GDPR requirements—as well as other regional or national laws that the cloud providers dislike. China, for example, also has tough laws on the management of data used by its citizens or stored on its soil (laws generally meant to provide government access to that data).
In the next few years. I’m sure the cloud providers will provide options to host data in regions that are strategically set up to avoid some country-based regulations, such as GDPR.
I don’t think there are any evil intentions here. Companies avoid taxes all the time by moving money around, so why not do the same with data? This is legal and should be expected when new regulations are created. Businesses must figure out a way to comply, to get around the regulations by finding loopholes, or take evasive actions such as Facebook did when faced with GDPR.
Of course, the regulator will complain that, while they are in compliance with the letter of the law, they are not operating within the spirit of the law. I’m sure that will generate some laughter in the boardrooms.
For enterprises and users alike, it’s yet another new wrinkle to understand and pay attention to.