Facebook and the GDPR

Last week in Dublin Facebook and Google gathered together a substantial proportion of the “thought leadership” of the online child safety world from Europe, the Middle East and Africa.  It has become an annual event. Nothing else on the calendar quite matches it in terms of its size, depth and geographical reach.  We all met at Facebook one day and talked about Facebook stuff then the next we were at Google to talk about Google.  I was there because I had been invited to take part in a panel on Google’s day.

The GDPR approacheth

Google made clear they were not  quite ready to  unveil their plans for addressing the GDPR.  Facebook, on the other hand, laid it all out and not just for Facebook, but broadly also for Instagram. Any further references to “Facebook” will therefore also likely apply to Instagram. WhatsApp  was not really on the agenda but there was an announcement about it today to which I will refer later.

I know I have a tendency to write blogs that are too long so I am going to split this into two bits. In the first I will give my version of the bald facts. The second will set out my take on some of those facts.

After 25th May

  • In effect Facebook is creating two versions of  their service. Facebook as we know it today will continue, of course. I will call it the “Full Monty”. Then there’s the newbie, “Facebook Lite”.
  • With Facebook Lite the user will not be able to publish certain types of sensitive data about themselves in their profile and the range of ads they will be exposed to, while always being limited to age appropriate categories, will not be targeted at Lite users based on any sensitive data they have given to Facebook.
  • There are no provisions or circumstances which officially allow under 13s in any jurisdiction to join or use either class of  Facebook service.
  • In countries where 13 is the Article 8 age, e.g. the UK, there are no substantial changes in respect of a young person’s ability to use Facebook. They can join the Full Monty off their own bat and without more.
  • In countries where the Article 8 age is greater than 13 and a young person declares their age to be above 13 but below the relevant Article 8  age  ( i.e. 14 or 15), Facebook will seek parental consent before the young person can proceed to the Full Monty.
  • Pending such parental consent being obtained, or by choice, a person can become and remain a member of Facebook Lite.
  • I am not sure what happens if a parent eventually declines to give permission but my guess is the young person can stay on anyway as a member of Facebook Lite.
  • A UK person who declared themselves to be 13 may have to jump through a few hoops to come out of the Full Monty in order to end up with Facebook Lite but, in principle, one way or another, I am pretty sure that option is available.
  • Lite does not depend upon Facebook obtaining anyone’s consent. The Article 8 age is therefore irrelevant and is why Lite can and must function in the more limited way  I have outlined.
  • In relation to Lite, Facebook is instead  relying on Article 6 1 f of the GDPR which establishes “legitimate interest” as the basis of the lawful processing of data.
  • Facial Recognition cannot be turned on unless the person is 18.   I believe the same is true in respect of location based data or services.
  • With WhatsApp the minimum age within the EU will be 16 in every jurisdiction, irrespective of the Article 8 age.

Where I have expressed a provisional or tentative view above, if I have got it wrong I’ll correct it later and let you know. It’s not easy being the Lone Ranger.

My verdict on Facebook’s overall package? It’s a curate’s egg. There are good parts and parts that are not so good.

Bits of  of Facebook’s proposals are privacy and child safety enhancing

I can see that parts of what Facebook are proposing are privacy and child safety enhancing, at least in those countries where the Article 8 age is greater than 13. Allowing children a form of access even without parental consent will also be welcomed in some child rights quarters, although I doubt it will be universally well-received.

Different levels of risk

Hitherto, some children’s organizations have argued not every action a child can take on Facebook and other Apps carries the same degree of risk or has the same potential to do harm. A single sign on  getting you into everything was therefore probably not appropriate. That may make things more complex for companies but that’s another matter.

Facebook appears to have acknowledged and accepted that by creating the split between the Full Monty and Facebook Lite.

No age verification

In Dublin Facebook said they had no plans to deploy age verification,  either for Monty or Lite. They gave two reasons: they wished to respect the principle of data minimization (this was said with a straight face) and because they did not think it was necessary or required by the GDPR.

Yet with this one single statement, Facebook have opened themselves up to the charge that they have no real or serious intention of addressing the gigantic level of misrepresentation of a person’s age that has resulted in vast numbers of under age children being on Apps or in places not intended for them. As a market leader this is very disappointing. It will not encourage others to up their game.

The net effect of Facebook’s own decision on WhatsApp, of removing altogether the need to obtain parental consent in respect of Lite, and the GDPR raising the age limits above 13 in so many countries, pretty much guarantees even larger numbers of children will engage in misrepresenting their age. That is not a good outcome.

My suggestion

I get Facebook’s point about the overreach that might be involved in having to age verify everyone solely in order to verify the ages of a restricted, if precious,  population group (children). Here is what they should announce, or something like it:

In order to enhance child protection measures and in the interests of maintaining the integrity of our systems, Facebook is going to use its algorithmic talents, not to age verify everyone but rather to see if, proactively, we can detect persons who fall below legal or declared thresholds. And by the way, while we’re on the subject, we are going to do the same in respect of verifying parental consent because we appreciate the systems available to us right now are ridiculously easy to game. If other or better solutions come out which might help with either or both these problems we will look at them.


The above notwithstanding I am not sure Facebook is anyway right to believe, for example in relation to facial recognition or location data, that accepting a tick in a box will be an appropriate way to ensure children are not, in fact, gaining access to services of that sort which are intended to be used  only by adults. If a thorough risk assessment was carried out I would be very surprised if it reached a different conclusion. We no longer allow box ticking for other types of  “adult services”.

The WhatsApp trap

I think Facebook is going to have a hard time explaining why they have chosen to limit access to WhatsApp to persons aged 16 or above within the EU yet outside  the EU 13 remains the qualifying age.

If 16 is right within the EU why is it not right everywhere else? GDPR compliance cannot be the reason for introducing  16 as the minimum age in every EU jurisdiction. Or am I missing something?

And finally

I congratulate Facebook on their bold move in creating two classes of service. However, the optics of this are very strange indeed and given everything else that has been going on around Facebook recently the company may be in for a rough ride.

Consent to having your data collected and processed is an idea everyone understands, even if its practical implementation has posed challenges in the age of the internet.

Consent being required to use Facebook is well-established. Introducing Facebook Lite and saying no consent is needed because of this (seemingly) new thing called  “legitimate interests“, sounds like something slippery and creative lawyers have dreamed up.  Where once consent was needed, now it isn’t. Go figure. Explaining that Lite isn’t Monty and that is the root of the difference is not an obviously winning argument.

Many will think it ironic that a measure such as the GDPR, which has been trumpeted as  strengthening the position of the consumer and the citizen, is in fact resulting in the younger consumer and the younger  citizen and their parents playing a less active, less engaged role because consent is no longer even being sought. In effect they are being told, unilaterally, what they must agree to in order to use a service. They must agree to do whatever the company specifies but they don’t actually have to give informed consent any more. Only lawyers could come up with that.

I get that companies utilising legitimate interest as the basis of collecting and processing data are, if anything,  under a greater set of obligations in a  number of respects but I am not sure how I would explain the apparent removal of the need for consent in a way that made it sound like a positive step forward or a gain.

People will say either the GDPR is being subverted or it has been flying under a false flag.


About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com
This entry was posted in Facebook, Regulation, Self-regulation, Uncategorized. Bookmark the permalink.