Facebook's privacy policies hit a language barrier

As the social network expands overseas, it will come to blows with countries that have very different ideas of what a corporation can do with users' private information.

Caroline McCarthy Former Staff writer, CNET News
Caroline McCarthy, a CNET News staff writer, is a downtown Manhattanite happily addicted to social-media tools and restaurant blogs. Her pre-CNET resume includes interning at an IT security firm and brewing cappuccinos.
Caroline McCarthy
5 min read

McDonald's. Blockbuster. And now Facebook? The social network and its controversial privacy policies are teeming with new complications as regulators overseas increasingly start to regard them as a suspicious, Americanizing import.

This week, data protection officials in Hamburg, Germany, sent a menacing missive in Facebook's direction, accusing the social network of partaking in illegal activities by retaining data about people who aren't members of the site but whose contact information may have come into its possession through members' e-mail importer tools. Last year, the privacy commissioner in Canada put significant pressure on Facebook to simplify its privacy controls, citing concerns that were pulled back into the spotlight when a Toronto law firm filed suit against Facebook this month, for which it's seeking class-action status.

There will be more incidents like these. Facebook's privacy policies, however maligned by advocacy groups, have thus far held up decently well in the U.S.; a coalition of senators who called attention to the amount of data that Facebook shares with third parties quieted down when the social network made some modifications. But more than three quarters of Facebook's users live outside the U.S., in countries where laws are different, and where lawmakers are much less likely to agree with the Facebook concept--or even the American concept--of online privacy.

"It's the essence of Facebook that you, as a U.S. resident, are able to reconnect with that transfer student from Paraguay from when you were in sixth grade," said Paul Bond, an attorney with law firm Reed Smith who specializes in data protection and privacy. "That global operational reality is challenged to the breaking point by the patchwork of privacy laws in different countries. The fact of the matter is, while people on social-media networks want to be able to seamlessly interact with one another, they are citizens of nations. Those nations have their own rules with regard to data privacy protection, and they expect them to follow those rules."

Facebook representatives were not immediately available to answer a question about how it currently deals with data protection regulations in different countries.

It's not that the Facebook juggernaut is unwelcome overseas. Politicians, candidates, and regulators around the world near-universally understand the power of the social network and its connections, with fan pages a crucial part of election efforts geared to young voters and interest groups now virtual home bases for activism. And Facebook has even begun formal collaborations with governments. On Friday, it announced a partnership with the office of the British Prime Minister on "The Spending Challenge," a project to crowd-source solutions to the country's budget deficit.

But that doesn't mean they're all willing to accept what Facebook's selling them with regard to how it handles user data, from how long it retains information from deleted accounts to how much of a member's profile can be shared with third-party partners. The privacy regulations of a company or a sovereignty are as much reflections of a culture's ethical values as they are fine-print rules. And the strict data protection laws of many European countries, particularly Germany, emerged out of the psychic scars of autocratic governments. This has created complications for many a U.S. tech company: the E.U. sparred with Microsoft, and it's still not through with Google--particularly its tight-lipped search algorithms and the alleged intrusions of Google Street View. Now, with Facebook's profile ever growing in Europe, it's a bigger priority for regulators.

"It is a space that is not very mature," said Trevor Hughes, executive director of the International Association of Privacy Professionals. "Privacy, as an issue, all of us know it and know it to be ancient in terms of a human interest. As a legal concept, consumer privacy is very, very new so all of those things get thrown into a very unstable policy environment. It makes it very challenging for companies."

Those complications are already evident in the fact that many of the contests, promotions, and advertising campaigns on Facebook that leverage its web of social connections are restricted by country--as they would be on any ad-supported Web property. The same applies to media: The selections on Apple's iTunes Store differ from one country to the next based on licensing and availability. Drive across the border from the U.S. to Canada, and you can no longer watch videos on Hulu.

There is, however, a sensitivity inherent in regulating companies' access to user privacy that simply isn't there when it comes to determining whether all the roadblocks have been removed when it comes to legally streaming the final season of "Lost" online in Argentina. Member-created data is the lifeblood of Facebook: It's taken on the role of a global tool of connection and communication, creating more friction for both Facebook and its users if a member in Spain is using a site governed by different policies than one in Canada. Consider this: If a college student from Munich takes his laptop on a semester abroad at Stanford, uploads photos to his Facebook account while living in the U.S., and then goes back to Germany, to which country's privacy laws are those photos subject to?

"Facebook, and everybody else, uses all this data for marketing and advertising purposes," said Francoise Gilbert, an attorney with the Bay Area-based IT Law Group, who advises multinational companies on how to deal with how regulations differ from one country to the next. "That's where it complicates things. Because our information, the public's information, is being sold left and right and reused for advertising purposes."

None of this even begins to take into account the fact that Facebook also now has to deal with countries where digital-media and privacy regulation may involve censorship, snooping, and activities far more nefarious than, say, requiring that third parties may only hold on to Facebook member data for 24 hours. The Chinese government has blocked access to Facebook on occasion. Telecommunications regulators in Pakistan and Bangladesh temporarily cut off access to the site amid the rise of fan pages and groups that the two predominantly Muslim countries determined to be blasphemous. The ongoing drama between Google and the Chinese government over whether to censor search results would indicate that Facebook's dealings with governments that disapprove of content on its servers will only escalate.

This litany of current and forthcoming complications hits Facebook where it hurts: The social network has said time and again that it wants to keep things simple, and some of the most forceful accusations from privacy advocates disapproving of its policies have been that Facebook's explanations of exactly what it's sharing with whom are so convoluted that the average member is left perplexed. Changing policies in accordance with international borders could muddle things further.

"What all of these people are asking is that it be more simple, more understandable, so it should not be more complex," attorney Francoise Gilbert said. "If it's more complex, then everybody has lost."