Facebook Puts Most Users Under U.S. HQ To Sidestep GDPR Rules

Despite promises that it would expand GDPR protections to everyone, Facebook has reportedly made plans to move all of its non-EU international users from the Ireland headquarters to the U.S. headquarters.

Facebook Ireland HQ

Facebook Ireland was technically processing the account data of not just European Union citizens, but also of all the other international users, for a total of 1.9 billion user accounts. Facebook did this to benefit from small corporate taxes in Ireland. American and Canadian users’ data has always been processed by its U.S. HQ.

As the GDPR will go into effect in a month (May 25), Facebook would normally have to apply the new rules to all of the 1.9 billion accounts processed by the Facebook Ireland HQ. The company risks not just fines up of to 4% of its global revenues for privacy violations, but also lawsuits from its users.

Facebook may now be trying to limit that legal exposure by moving most of its Facebook Ireland users to the U.S. HQ. Users from Africa, Asia, Australia, and Latin America will no longer be able to file complaints with the Irish Court, so they won’t get the same GDPR protections by law.

Starting Off With The Wrong Foot

After the recent Cambridge Analytica privacy scandal, in which Facebook played a significant role due to its lax rules for sharing user data with third-party developers, the company has been trying to appease both users and regulators by promising many improvements to its privacy protections. One of the promises was that Facebook would expand the privacy controls from which EU citizens will benefit to everyone else, including U.S. and Canadian users.

Although this may be technically true to a degree, Facebook is already giving the impression that it won’t be too serious about guaranteeing those protections now that most of its users will fall under the far more lenient U.S. privacy rules.

Furthermore, because the GDPR controls are not mandated by law outside of EU’s reach, Facebook could at any time change them in the future so that it’s able to gather more data on all of the user accounts that fall under the U.S. HQ. Ultimately, Facebook has proven that even when it has to comply with privacy rules, it often doesn't, so it will be interesting to see just to what degree it intends to respect the new GDPR privacy protections outside of the EU. 

Some senators and House representatives seemed interested in bringing GDPR-like privacy rules to the U.S., too, and if that happens, it may be a way to get Facebook to keep its end of the bargain in regards to the new privacy protections.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • time_lord
    After his evasive answers to the legislators, Zuckerberg provides yet more proof that privacy means nothing to him.
  • jdog2pt0
    20901070 said:
    After his evasive answers to the legislators, Zuckerberg provides yet more proof that privacy means nothing to him.

    Well of course. That data is worth a lot to the right person. More privacy means less data, less data means less money in Zuck's pocket.