By: Jessica Garner

In January, I wrote a piece about the General Data Protection Regulation (GDPR), a European provision aimed at giving users more control over the data they share online. Quick recap: The European Union will institute many new rules to protect user data, including the oft-cited “right to be forgotten.”

The premise of my earlier article was that the GDPR might be a sort of canary in the proverbial coal mine. Seeing how the rest of the world reacted to the regulations would be a solid chance to gauge how much power governments would have to shape privacy in the online domain. These sort of privacy concerns go to the heart of many intellectual freedom issues, particularly where anonymity is required for research and online interaction.

But, if I may quote myself: “Individually, each of the mandates inside the GDPR have a wide range of potential effects on data privacy. They also come with a substantial number of legal, logistical, and ethical questions, if not actual challenges to implementation.”

The most visible challenge to authority and implementation came last week. The challenger: Facebook.

Like a vague, passive-aggressive post on the social media site itself, Facebook changed its terms of service for a whopping 1.4 billion users without warning. The social media stalwart moved the governance of these users — based in Africa, Asia, South America, and Australia — away from the company’s overseas headquarters in Ireland. Previously, those users would have fallen under the jurisdiction of the GDPR. The European authorities would have then had recourse to fine Facebook up to 4% of global revenue, according to Reuters, if they were found to be in violation of the European privacy rules.

Reuters also reported Irish officials had no idea the move by Facebook was coming.

These moves were made almost simultaneously to Facebook CEO Mark Zuckerberg’s testimony to Congress on a host of issues, including the acquisition by Cambridge Analytica of a trove of account data from Facebook.

Facebook has already begun rolling out a new suite of data protection tools for users, but many observers have still characterized the move as duplicitous. Others have simply labeled the move a commonsense business decision to protect the company from liability.

Of course, if we pull focus beyond just Facebook and look more broadly at what the GDPR means for internet privacy (and, by extension, key tools of intellectual freedom), it seems a glaring loophole has been exposed. It remains to see what other companies may exploit before the May 25 date of implementation for the new laws.

 

---

Jessica Garner is the Access Services Department head at Georgia Southern University and has worked in public and academic libraries for over ten years. She has been involved with Children’s Services, Collection Development, Cataloging and Interlibrary Loan first as a public librarian at Live Oak Public Libraries and then at Georgia Southern University. Her scholarship interests include Interlibrary loan, intellectual freedom, and patron services. Find her on Twitter @jessCgarner.