Facebook on collision course with new EU privacy laws

With its initial public offering this week, Facebook is roaring ahead. However, new European Union privacy regulations are taking aim at Internet companies' ability to profit through control of personal information – the key to their tremendous online advertising profits. 

Now in its eighth year, social networking website Facebook is set to become the hottest ticker on Wall Street – and it's not hard to see why. With 800 million users worldwide and $3.71 billion in sales in 2011, the company's IPO is expected to raise between $50 billion and $100 billion on the open market.

But with a business model built on leveraging user data to sell targeted advertising, Facebook, Google, and other Internet companies are on a collision course with EU demands that its citizens' right to privacy be respected. The EU regulations pit two Internet philosophies against each other: 1) that more regulation is needed in order to protect unwitting users, 2) that more regulation will encourage overactive censorship. 

RELATED: How seven recent tech IPOs have fared

Giving users more control

On Jan. 25, EU Justice Commissioner Viviane Reding unveiled a wide-ranging data protection program that aims to regulate all companies doing business online in the EU, not just those based there. The data protection laws, which will take about a year to be enacted, will be uniform across all 27 member states. 

"Companies must understand that if they want access to 500 million consumers in the EU, then they have to comply. This is not an option," says Matthew Newman, spokesperson for the justice commissioner. 

The proposal prescribes fines of up to €1 million ($1.3 million) or 2 percent of annual revenue, includes a "right to be forgotten" that allows users to permanently delete their data, and allows users easier access to their data and easier migration of it to other services. Additionally, companies wishing to do business in the EU will need a representative based there.

"The principle behind [the right to be forgotten] is quite simple: it's your data, you're in control of it and you get to decided what is done with it," says Mr. Newman. 

Jeffrey Rosen, legal commentator and law professor at George Washington University, says he supports tougher privacy regulations, but called the EU's "right to be forgotten" a "legal minefield." 

Mr. Rosen says the regulations will create a dramatic clash between the right to freedom of expression and the right to privacy, arguing that under the proposal, websites like Facebook will be obliged to not only to delete on request material that users upload, such as photos, but any shared copies of photos – and potentially even material uploaded by third parties that another user objects to. 

The new rules will bring Europe and the United States' different privacy norms face to face.

"There are hugely different cultures. Europe tends to trust the state and not private companies and in America it's the reverse. There's also a difference of tradition between dignity and liberty," Rosen says. "There is potential for radical disruption of the way users experience the Internet in the EU. This would transform Facebook and Google into censors-in-chief."

The question of privacy vs. openness hits at the heart of a major commercial issue in the Web 2.0 world, where personal data is traded for free access to online services. 

As part of the company's IPO announcement, Facebook founder and CEO Mark Zuckerberg sent a letter to shareholders, saying, "Facebook was not originally created to be a company. It was built to accomplish a social mission – to make the world more open and connected."

The Wild West of online data

Users of online services need to be more aware of what data is collected and how it is used, says Kieron O'Hara, a philosopher working at the University of Southampton's school of computer science in Britain.

"We are giving away too much [private information] partly because of a lack of awareness of who owns what data," he says. "Facebook was able to raise large amounts of money precisely because it has a business model waiting to be put into operation: data on hundreds of millions of users."

Joe McNamee of the European Digital Rights (EDRI) non-governmental organization, which supports the new regulation, says that many people still do not understand the importance of privacy online, or quite how much data is collected and stored or by whom.

"Back in the mists of time when people first started Internet companies and phone companies, nobody thought data was going to be stored for years under state mandates. People would have said you were nuts if you said so, or that airline data would be stored and shared, but now we have the EU-US PNR [passenger name records] agreement which does just that."

He believes the new regulation will simplify doing business across the EU by unifying data protection laws – and building users' trust, which could actually benefit companies in the long run.

"There's a lot Facebook is worrying about, but I don't think there's a lot [for it] to worry about," he says. "If people feel, due to the Wild West nature of online data, they should avoid services or block [advertisements] online, then that's not in the companies' interest."

A challenge in Ireland

Facebook is already under scrutiny under existing EU legislation. Austrian law student Max Schrems complained to the Irish government's Data Protection Commissioner (Facebook's EU operations are based in Dublin) about the retention of information about him that Facebook claimed had been deleted.

The commissioner issued the results of its audit on Dec. 21, 2011, saying Facebook was in general compliance with data protection laws and that targeting advertisements based on information they provided on Facebook was "legitimate," but recommending changes to Facebook's user policy to make users aware "through transparent notices" that their personal data was being used to target advertising. 

The audit also criticized Facebook's sign-up process, saying "at the point of signup a person could not reasonably be expected to fully understand or comprehend what it means in practice to have consented to the use of their data in this way."

Facebook has agreed to make changes, which will be assessed by the Data Protection Commissioner in July 2012.

Europe V. Facebook, the organization founded by Mr. Schrems, rejected the results of the Irish audit as insufficient and plans to appeal to both Irish courts and EU authorities.

Europe V. Facebook is not alone. The Independent Center for Privacy in the German state of Schleswig-Holstein criticized the Irish report, saying it relied on "often unverified" assertions by Facebook.

One central allegation was that Facebook was creating "shadow profiles" of nonusers based on data collected from other websites that include Facebook features such as "like" buttons. The audit report confirmed information was collected, but said the data was not used for anything and will now be actively deleted.

"The report is a peculiar little beast," says TJ McIntyre, law lecturer at University College Dublin and founder of Digital Rights Ireland. "It's not really an investigation of the complaints. Max Schrems' complaints are still awaiting a formal response."

Ireland is a popular choice for multinational companies looking for a place to base their European operations, as Facebook did. Gary Davis, Ireland's deputy Data Protection Commissioner, says that for the country to continue attracting foreign investment, it needs to work with Facebook and similar companies to help them meet regulations, not punish them and deter their investment – and that it needs to balance that with enough to be seen as credible by both the companies and their users.

"If we're going to continue to attract multinational companies we have to be able to credibly regulate them," he says.

Facebook did not respond to inquiries for this story. 

RELATED: How seven recent tech IPOs have fared