Facebook faces substantial business risks from new European Union privacy rules set to take effect in May, a looming reality that came into stark relief over the weekend with revelations that a controversial political consulting firm had improperly obtained personal data on 50 million Facebook users.
Privacy experts said the disclosure that a researcher had sold Facebook data collected via a personality quiz to the consulting firm Cambridge Analytica is a prime example of the kinds of practices that the new General Data Protection Regulation, or GDPR, is supposed to prevent or punish.
The danger faced by Facebook going forward is two-fold: Complying with the rules means letting European users opt out of the highly targeted online ads that have made Facebook a money machine. Violating GDPR mandates could subject the California company to fines of up to 4 percent of annual revenues.
Had the Cambridge Analytica incident happened after GDPR becomes law on May 25, it “would have cost Facebook 4 percent of their global revenue”, said Austrian privacy campaigner and Facebook critic Max Schrems. Because a UK company was involved and because at least some of the people whose data was misused were almost certainly European, GDPR would have applied.