Tough new privacy rules introduced by the EU last year have many fans.

In his recent op-ed for the Washington Post, Facebook founder Mark Zuckerberg claimed to be one of them.

"People around the world have called for comprehensive privacy regulation in line with the European Union's General Data Protection Regulation, and I agree," he wrote.


"I believe it would be good for the internet if more countries adopted regulation such as GDPR as a common framework. New privacy regulation in the United States and around the world should build on the protections GDPR provides."

In real life, the Facebook boss's enthusiasm for the GDPR has limits, however.

Exhibit A: At the start of last year, Facebook's terms of service put its New Zealand users under Irish privacy law (a bit tangential but, after all, it was where NZ advertisers were billed as the social network sought to minimise its tax bill).

That meant Kiwi Facebook users were in line to be covered by strict new EU privacy rules. Ireland is, after all, part of the European Union.

But as the GDPR kicked in on May 25, Facebook changed its terms for NZ users, putting us under US privacy law.

NZ Privacy Commissioner John Edwards was not impressed at the social network's pick-n-mix, approach.

His view was, simply, that Facebook's NZ activity should be covered by NZ law.

"I remain of the view, based on expert advice on how private international law works, that Facebook is subject to New Zealand law in relation to the collection, use, storage, access and disclosure of personal information," Edward said last May.


"One very interesting consequence of this development is that a key objection from Facebook to this proposition, was that disclosing information to my office would have put them in breach of Irish law. That objection will now no longer be tenable."

No dice. In the wake of the Christchurch shootings, Edwards asked Facebook to provide NZ police with the account details of everyone who had shared the gunman's video. The Privacy Commissioner regarded copies of the clip being posted to the social network as an "egregious" breach of the victim's privacy. Sharing was also a breach of NZ's censorship laws given the video and the gunman's manifesto have been banned (and an "objectionable" rating, or ban on viewing or sharing, applies from the moment offending content is released, not the moment it is rated).;

Facebook refused to hand over the names. Global policy VP Monika Bickert told the Herald she was following the law - presumably US law.

Why the switch?

When I asked last May why Facebook had shifted its NZ users from the robust production of the EU's privacy laws to the lighter US regulations, deputy chief global privacy officer Stephen Deadman replied, "The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users. We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that."

But Edwards' point was that Facebook doesn't get to set the level of privacy protection. Governments do.

A simple test of Zuck's new resolve

In his March 31 editorial for the Post, Zuckerberg seemed to embrace this concept.


"I believe we need a more active role for governments and regulators," he wrote.

"New privacy regulation in the United States and around the world should build on the protections GDPR provides … and should establish a way to hold companies such as Facebook accountable by imposing sanctions when we make mistakes."

A day later, the UK's information commissioner, Elizabeth Denham asked Zuckerberg to prove his new-found sincerity for sanctions by dropping an appeal against a £500,000 she imposed on Facebook after the Cambridge Analytica scandal.

A spokesman for Facebook said the company would continue to contest the penalty.

Zuckerberg wrote that there needs to be a "globally harmonized" effort that sees various countries' privacy rules aligned under a "common global framework."

Should the nations of the world work together toward that goal - and London to a brick they won't - it would years.


Aussies go on the front-foot

Meanwhile, back in the real world, on the heels of the news that the gunman's clip is still being shared on Facebook, the Australian government has gone in boots-and-all, saying it will introduce legislation this week that would see social networks fined up to 10 per cent of their annual revenue and their executives face up to three years' jail if they fail to remove "abhorrent violent content."

One lobby group, Digital Rights Watch, has called the proposed law-changed kneejerk and rushed, and says it will have unintended censorship consequences.

NZ goes on no foot

Here, Prime Minister Jacinda Ardern - a high-rotate user of Facebook Live for unmediated access to voters - has said social networks need to do more to prevent inappropriate material, but has yet to outline or timeline measures (though we continue to throw the book at people who share the Christchurch clip - the latest is a teen).

MPs recently hosed-down Privacy Commissioner John Edwards' bid to give a Privacy Act update some teeth by allowing him to fine organisations up to $1m.

Ardern said early this week, "Ultimately, we can all promote good rules locally, but these platforms are global."

And global regulations are a pipedream.


Meanwhile, little is happening.

Late yesterday, Edwards said the social network had told him it has done nothing so far to change its live streaming since the Christchurch attacks.

Facebook is "exploring" changes to its live streaming video, Sandberg said in her open letter.

With a business model that relies on speed and volume of user content, cynics will see things stalled at the exploratory phase for some time. Hopefully, Facebook will prove them wrong.