Facebook CEO won't commit to using EU privacy laws worldwide

Facebook may be complying with tougher user privacy laws in Europe, but its US users won't necessarily get the same benefit, Mark Zuckerberg has confirmed. The social network finds itself at the center of a personal information storm that simply refuses to dissipate, with the US Federal Trade Commission investigating whether it has done enough to secure the data its billions of users share.

For the FTC, the question is whether Facebook broke the terms of its agreement back in 2011. Then, the allegations were that Facebook had been sharing data from users who had previously opted-out of such actions. In its settlement, the social network agreed to twenty years of privacy audits, and to avoid such behaviors again.

"Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements," acting director Tom Paul wrote of the Commission's decision. If the FTC finds Facebook at fault, it could levy considerable fines at the company.

Outside of the US, however, Facebook's life is about to get even tougher. The General Data Protection Regulation (GDPR) is set to be enacted in late May 2018, a landmark tightening of privacy rules that sites like Facebook must comply with. The regulation includes mandatory notification of any data breaches within 72 hours, and a requirement that sites get explicit consent from users in order to collect data. The "Right to be Forgotten" principle, meanwhile, has been broadened, allowing users to petition to have personal data wiped out.

If companies don't comply, meanwhile, the GDPR has the power to fine them up to 4-percent of their global revenue. For Facebook, which recorded annual revenues of $40.7bn in 2017, that such a penalty could be considerable.

Facebook has been working on changes in how European users will deal with privacy on the site for some time, in advance of the GDPR coming into effect. The law was passed in 2016, but companies were given two years to comply fully. Asked by Reuters whether the site planned to expand those safeguards to users globally, however, CEO Mark Zuckerberg declined to confirm that.

"We're still nailing down details on this," Zuckerberg said, "but it should directionally be, in spirit, the whole thing." When pressed, though, he would not elaborate on exactly what that would mean for users. Currently, the US lacks the sort of stringent data protection safeguards that the GDPR promises for European users.