Facebook is set to move more than 1.5 billion users out of reach of a new European privacy law, which would allow regulators to fine companies for data breaches.
As things stand currently, almost 1.9 billion users around the world — outside the United States and Canada — are governed by terms of service agreed with the company’s international headquarters in Ireland.
Next month, Facebook is planning to make that the case for only European users, meaning 1.5 billion members in Africa, Asia, Australia and Latin America will not fall under the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25.
The previously unreported move, which Facebook confirmed to Reuters, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.
That removes a huge potential liability for Facebook, as the new EU law allows for fines of up to 4 per cent of global annual revenue for infractions, which in Facebook’s case could mean billions of dollars.
The change affects more than 70 per cent of Facebook’s 2 billion-plus members.
As of December, Facebook had 239 million users in the United States and Canada, 370 million in Europe and 1.52 billion users elsewhere.
Facebook, like many other US technology companies, established an Irish subsidiary in 2008 and took advantage of the country’s low corporate tax rates, routing through it revenue from some advertisers outside North America.
The unit is subject to regulations applied by the 28-nation European Union.
Facebook said the latest change does not have tax implications.
In a statement given to Reuters, Facebook played down the importance of the terms of service change, saying it plans to make the privacy controls and settings that Europe will get under GDPR available to the rest of the world.
“We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland,” the company said.
Earlier this month, Facebook chief executive Mark Zuckerberg told Reuters that his company would apply the EU law globally “in spirit,” but stopped short of committing to it as the standard for the social network across the world.
In practice, the change means the 1.5 billion affected users will not be able to file complaints with Ireland’s Data Protection Commissioner or in Irish courts.
Instead they will be governed by more lenient US privacy laws, said Michael Veale, a technology policy researcher at University College London.
Facebook will have more leeway in how it handles data about those users, Veale said. Certain types of data such as browsing history, for instance, are considered personal data under EU law but are not as protected in the United States, he said.