Lawmakers in both the U.S. and EU are grappling with the realization that Meta might not be able to comply with user data regulations, even if the company wanted to do so.
In a leaked internal document published by Motherboard last week, Facebook privacy engineers wrote that there are “tens-of-thousands of uncontrolled data ingestion points into Ads systems.” The document, which was written in 2021, likened Facebook’s open-data systems to ink poured in a lake of water. “How do you put that ink back in the bottle?” the engineers ask, in what is seemingly a concession that the company can’t trace some user data accessible to third parties.
Meta denied this characterization to Motherboard, however, as a spokesperson said the document “reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.”
The document does indeed show that Meta is feeling the effects of new and nascent privacy regulation around the world. The engineers said they anticipate “impactful regulations” in India, Thailand, South Korea, South Africa and Egypt. They also expected U.S. federal privacy regulation, though they correctly guessed that it wouldn’t come in 2021.
U.S. senators on both sides of the aisle didn’t buy Meta’s explanation.
“Facebook has lost control of what they are doing with your data,” Republican Sen. Marsha Blackburn wrote on Twitter in response to the leak. “This is reckless and threatens the privacy and security of Americans. We need a national privacy standard.”
Democratic Sen. Kirsten Gillibrand wrote: “If Big Tech companies don't even know how the data they collect on us is used, we can't rely on them to protect our privacy. We need a Data Protection Agency to hold them accountable and set standards for how our data is collected, protected, and used.”
Across the Atlantic, Dutch EU Parliamentarian Sophie in 't Veld called for an immediate investigation, explaining to Motherboard that “if this is true, basically, they're not remotely compliant with GDPR, not remotely.”
The GDPR stipulates that companies can only collect data for “specified, explicit and legitimate purposes.” The EU legislation also includes a right to be forgotten clause that lets users request the erasure of their data “without undue delay.” In the leaked document, however, Meta engineers said it would take “multiple years” to build a system that effectively allows users to opt out of having their data processed.
The California Consumer Privacy Act also includes a right to be forgotten clause. In the absence of federal privacy regulation, the CCPA serves as the most important piece of online data privacy legislation in the U.S. The leaked document raises questions as to what effect federal regulation would have, if any, given Meta apparent struggles to comply with existing state law. Facebook claims to give California users the ability to exercise their “right to know” or “right to request deletion.”
For Meta shareholders, the document also raises questions about the company’s ability to maintain levels of profitability while restructuring data systems. The leaked document concedes that “there is no obvious solution yet, which doesn’t involve dramatic investment by Ads engineers.”
The engineers wrote that Meta “may allow certain opt-out data to be used in training, but not in ranking or targeting.” The Federal Trade Commission could demand Meta remove or destroy models built using data from users who opt out. The agency did so as part of a settlement with WW International (previously known as Weight Watchers), which was accused of harvesting data from children without parental permission. If Meta indeed faces a multiyear project timeline for building those capabilities, regulators might simply resort to recurring fines — if they even have enforcement capability in the first place.