'Trust a bigger motivator than fines for Facebook'
With under a year to go until the tough new EU rules on data protection are introduced, Facebook is ramping up its plans to ensure it doesn't fall foul of the new law. Our technology editor spoke to global deputy chief privacy officer, Stephen Deadman
Europe's General Data Protection Regulation (GDPR) dramatically raises the stakes for companies doing business within the EU. Aside from potential fines of up to €20m or 4pc of annual turnover, the whole way that customer data is dealt with has to be rethought.
It's likely that no company feels this more acutely than Facebook, the social media giant with a permanent public focus on its data privacy record.
According to the tech firm's global deputy chief privacy officer, Stephen Deadman, Facebook is revamping much of what it's doing to get ready for next May's legal deadline.
This includes the hiring of a Dublin-based data protection officer and new ways to design data privacy elements attached to Facebook's products.
The GDPR allows for fines of up to 4pc of a company's annual revenue. In an adverse finding against a company of Facebook's size, that could run into hundreds of millions. Is Deadman worried about the scale of the enforcement regime?
"The fines are bigger, sure," he says. "But the stakes have been high for us for a long time. Fines are only one part of the piece. Reputation and trust are absolutely critical. Trust is really a bigger motivator for us in getting it right." One thing that big US tech companies sometimes refer to is the 'collaborative' relationship they enjoy with the Irish data protection regulator. They say they can approach the office run by Data Protection Commissioner Helen Dixon to seek clarification on issues without it counting against them in a strictly adversarial fashion.
Does Deadman hope to see that continue after the GDPR comes into full effect?
"I don't think it's going to change," he says. "A lot of research suggests that fines do not produce the best outcomes. It's often collaboration. Leadership from regulators is a far more effective way of producing better outcomes. What Helen's office has witnessed in the last year is a massive expansion in resources and this recognises that office's role as the de facto digital regulator for Europe based on the number of tech companies based here.
"Understanding companies like Facebook, which are large and complex, requires a lot of engagement. That's definitely been a strength of Helen's office for us. But we also have to invest in resources so that we can engage at the level that her office would demand. So that means having a DPO based in Dublin with access to all the right resources in the company. It's a key hire for us."
Deadman says that this person, to be hired in the coming months, will be a senior position reporting to a committee ultimately overseen by Mark Zuckerberg and Sheryl Sandberg.
"It's partially to ensure that the Irish data protection commissioner has someone she can go to," he says. "We now have hundreds looking at privacy from all functions of the company, engineers, researchers, legal and policy and security people. We'll be bolstering that team and investing huge amounts of energy in improving the program."
Facebook recently announced its intention to expand its facilities in Dublin with a new Docklands building that can accommodate 800 more workers. Some of those new staff will deal with the new responsibilities the GDPR brings. However, the company faces regulatory investigations across Europe, not just in Ireland, even if the new data law places an emphasis on Ireland as Facebook's primary regulatory base. In recent months, Facebook has had regulatory kerfuffles with authorities in France, Belgium, Holland and Italy, some leading to fines. Does Deadman think that the GDPR concentrates the company's data privacy obligations in Ireland?
"Well, the regulation makes things a bit clearer with a one-stop shop, which we think is a good thing," he says. "That mechanism doesn't exclude regulators around Europe raising issues and they can raise those issues with the lead authority, which for us is here in Ireland. That will continue."
Rather than remaining reactive, though, Deadman says that Facebook is trying to get ahead of issues with a new design approach to its data privacy structure. A series of developer and designer events (called 'Design Jam') have been organised around Europe to focus on improving issues such as transparency and data privacy visualisations for Facebook's users.
"Millions of people currently work in collaborative environments which they call a jam," he says. "It's a service design methodology and it's well understood in design communities. At the moment we try and solve these problems with lawyers and regulators. So when it comes to transparency, trust and control, the consumer is left feeling fairly frustrated because what they see is not something that's necessarily been designed for them, but was created in a very legalistic and regulatory environment. We want to break that open. We've brought together hundreds of experts to tackle the problem.
"A central part is how to give our users a better degree of control over their data and transparency."
So what will this mean for how Facebook users will see GDPR in their services?
"I would expect there to be changes of various things, both at the back end and the front end," says Deadman. "The user process will start with the designers. There will be contrasts. People who use Facebook want it to be quick and simple, they don't want things that are long and legalistic. Lawyers and regulators are pretty bad at this."