SAN FRANCISCO/ FRANKFURT (Reuters) - Facebook faces substantial business risks from new European Union privacy rules set to take effect in May, a looming reality that came into stark relief over the weekend with revelations that a controversial political consulting firm had improperly obtained personal data on 50 million Facebook users.

The Facebook application is seen on a phone screen August 3, 2017. REUTERS/Thomas White

Privacy experts said the disclosure that a researcher had sold Facebook data collected via a personality quiz to the consulting firm Cambridge Analytica is a prime example of the kinds of practices that the new General Data Protection Regulation, or GDPR, is supposed to prevent or punish.

The danger faced by Facebook going forward is two-fold: Complying with the rules means letting European users opt out of the highly targeted online ads that have made Facebook a money machine. Violating GDPR mandates could subject the California company to fines of up to 4 percent of annual revenues.

Had the Cambridge Analytica incident happened after GDPR becomes law on May 25, it “would have cost Facebook 4 percent of their global revenue”, said Austrian privacy campaigner and Facebook critic Max Schrems. Because a UK company was involved and because at least some of the people whose data was misused were almost certainly European, GDPR would have applied.

Shares in Facebook fell on Monday by 7 percent, their biggest drop since 2014, wiping nearly $40 billion off the value of the firm founded in 2004 by Mark Zuckerberg.

Schrems first raised concerns in 2011 about how easy it would be for third-party apps to harvest data from the unwitting friends of Facebook users. Facebook says it has tightened its controls on such practices since it discovered the alleged abuses by Cambridge Analytica in 2015.

Schrems has founded a non-profit, called None Of Your Business (NOYB), that is hiring lawyers and exploring avenues for “strategic litigation” over GDPR privacy violations.

According to whistleblower Christopher Wylie, who formerly worked with Cambridge Analytica, the consulting firm used the data to help then-U.S. presidential candidate Donald Trump to predict and influence choices at the ballot box.

“The fact of the matter is that Facebook lost control of the data and wasn’t adequately monitoring what third-parties were doing,” said Scott Vernick, a partner and an expert in privacy and data security at the Philadelphia law firm Fox Rothschild.

Vernick said the maximum GDPR fine could come into play in an incident like this because of the number of users affected and what appears to have been inadequate monitoring of third-party data practices.

Facebook said it changed its policies in 2014 to “to give much less data, especially about friends,” Facebook Vice President Andrew Bosworth said in a Facebook post on Monday.

“We conduct a robust review to identify potential policy violations and to assess whether the app has a legitimate use for the data,” the company said on Monday. “We actually reject a significant number of apps through this process.”

Compliance with GDPR rules could cost Facebook a significant amount of money. Deutsche Bank analysts in January estimated that Facebook’s overall revenue could be lowered by 4 percent in a scenario in which 30 percent of EU users opt out of targeted ads, reducing the effectiveness and likely price of ads shown by 50 percent.

The EU represents 24 percent of Facebook’s ad revenue, so multiplying those figures, the bank said the regulations could have a 4 percent impact on overall Facebook revenue.

“If this regulatory approach spreads to other countries or if GDPR ever becomes more onerous over the medium or long term, it would pose more risk,” Deutsche Bank warned.

The firestorm over Cambridge Analytica has prompted a furious response from lawmakers on both sides of the Atlantic, raising the prospect of just such an expansion of privacy protections.

Pivotal Research analyst Brian Wieser reiterated his ‘sell’ rating on Facebook after the weekend reports. Wieser expressed concerns that the company’s regulatory risks would intensify and that its sophisticated use of data in advertising was in jeopardy.

A December 2017 survey found that only 21 percent of European consumers know what GDPR is. But after the regulation was explained, 82 percent of respondents said they plan to exercise their new rights, according to the survey of 7,000 Europeans conducted by Cambridge, Mass.-based Pegasystems Inc PEGA.O, which makes sales and marketing software.

PageFair, an Irish startup that helps websites deliver targeted ads without using personal data, estimates that only 3 percent of European social media users will opt-in to targeted ads, a potentially “devastating” blow for Facebook and other platforms, says Johnny Ryan, PageFair’s head of ecosystem.

GIVING CONSUMERS CONTROL

The quandary for Facebook is readily apparent from a video it began showing customers in February: it teaches people how to delete their accounts.

GDPR gives users the right to access their data, delete it or transfer it to competing companies. Social networks will also need to regain Europeans’ consent every time they want to use their data in new ways, including for targeted advertising.

Lawmakers had social networks in mind when drafting GDPR, said Helen Dixon, the data protection commissioner of Ireland, which is the lead GDPR regulator for numerous tech companies including Facebook, Twitter and LinkedIn.

“There was very big consideration of these newer types of platforms,” she told Reuters.

Tough European rules stand in sharp contrast to the lack of privacy regulation in the United States and many other countries, raising the prospect that Facebook will begin to look much different from one country to the next.

For example, the social media giant in 2017 released new artificial intelligence features that detect when a user is at risk of suicide or when someone else uploads a picture of their face.

The company did not make those features available in Europe. Facebook did not specify a reason. But heightened scrutiny in Europe over such practices with GDPR looming may have been a factor.

Another challenge for social networks are GDPR provisions mandating how companies must obtain permissions. The regulation demands that requests for consent be presented “in an intelligible and easily accessible form, using clear and plain language.”

In other words, the days of extensive “terms of service” agreements written in small text will no longer pass muster in Europe, numerous data privacy lawyers told Reuters.

In practice, social network users may find themselves seeing more “permissions screens” and being asked to check boxes every time a social network rolls out a new feature.

That could depress usage, Facebook Chief Financial Officer David Wehner said at an investor conference last month. “Whenever you walk people through permission screens, there’s some potential that people decide they’re not going to use the product,” Wehner said. “We don’t think it will be big, but there could be some implication there.”(This version of the story was refiled to correct description of PageFair’s business in 19th paragraph)