Facebook Scores a Very Unwelcome First on Data

(Bloomberg Opinion) -- Maybe it was inevitable that Facebook Inc. would become the first big target for Europe’s new data privacy rules.

After Mark Zuckerberg’s social media giant revealed a security breach last month that hit at least 50 million accounts, Ireland’s data protection authority now says it’s investigating whether its safeguarding measures were compliant with the General Data Protection Regulation, which came into effect in May.

Before GDPR’s implementation, technology firms would say in private that their main fear was not necessarily being targeted by the wardens of the new rules, but becoming the first to fall under their spotlight. The potential fine, large as it is, is of less concern than the reputational risk. While Facebook says it “undertook a massive effort in preparation for GDPR,” nobody wants to become the first name associated with this type of probe. It can stick.

And, should the investigation find Facebook was indeed in breach, the possible penalty is considerable. Bloomberg Intelligence analyst Tamlin Bason estimates it could be as high as $813 million, since contravening the legislation’s “data protection by design and by default” clause permits a maximum fine of up to 2 percent of global revenue. Facebook had $40.6 billion of sales last year.

Given Facebook’s data travails over the past 12 months, and the nature of its business, it’s not a complete surprise that they’ve been targeted — even if the company insists that it does have a GDPR-compliant level of security.

Facebook Scores a Very Unwelcome First on Data

User data is Facebook’s lifeblood. It uses the information to sell ads targeted at very specific demographics. And the “move fast and break things” adage by which it lived for much of its early existence sits uneasily with the EU’s notion of “privacy by design,” one of the core tenets GDPR. Brussels expects a company’s default approach must be to keep data as tightly held as possible.

Just last week, the news website Gizmodo reported that Facebook was using somebody’s cellphone number to facilitate ad targeting, even though the user had only given the site his number for so-called “two-factor authentication” — an extra layer of security when logging in. It’s the sort of extra edge that has helped Facebook enjoy average annual sales growth of 75 percent since 2007.

Facebook Scores a Very Unwelcome First on Data

In fairness to Zuckerberg, it seems he’s trying to change the culture. After announcing measures aimed at improving its checks and balances on how data is used, Facebook conceded in July that this would mean slower growth this year. The stock tumbled, and has failed to recover those losses. And the company is adamant that it is fully GDPR-compliant: It told the Irish regulator about the security breach within 72 hours of learning about it, as the rules stipulate. In public, Zuckerberg has gobbled down slice after slice of humble pie, even as he’s tightened his control over group companies WhatsApp, Instagram and Oculus.

But despite Zuckerberg’s pleas for trust about his commitment to change, regulators still have a crucial role to play in holding him to that. Facebook may not be happy, but the investigation shows Europe remains vigilant.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Alex Webb is a Bloomberg Opinion columnist covering Europe's technology, media and communications industries. He previously covered Apple and other technology companies for Bloomberg News in San Francisco.

©2018 Bloomberg L.P.