On April 10 and 11, Congress will ask Mark Zuckerberg to explain himself. The Facebook CEO will testify before Senate and House committees about the Cambridge Analytica data leak, which the company says has affected up to 87 million users of its service. The company has further owned up to efforts by “malicious actors” to scrape data on “most” of its two billion accounts.
Despite these revelations, Facebook still hasn’t learned its lesson. In comments this week, Zuckerberg doomed his US users to second-class status when it comes to data privacy.
Zuckerberg and his executive team had a chance to get ahead of this public relations and technological disaster. On May 25, companies operating in the European Union must comply with the General Data Protection Regulation, which takes online privacy to new levels for ordinary people in Europe.
The rules govern everything from how companies get users’ consent for gathering data, to the ability of users to transfer their data from one service to another, to the “right to be forgotten” (now termed “right to erasure”), that is, the right to delete your online presence.
Congress should pressure Zuckerberg to at least pledge a voluntary effort to impose the new EU privacy regulations on his US operations.
During an interview this week with Reuters, Zuckerberg pledged to follow the EU rules, but he refused to commit to following GDPR-like rules in the US or anywhere else outside the EU. “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” Zuckerberg said. In other words, the rules it follows will be different, and presumably more lax, for US users.
To Zuckerberg’s credit, his thinking has evolved over time. At first, the misuse of Facebook’s data wasn’t the company’s problem, until Cambridge Analytica’s abuse came to light. Recently, he’s suggested an openness to some federal regulation, without suggesting anything specific. Today, he’s bound to comply with EU rules, but he stops short of calling for anything approaching parity in the US with the EU, except for a vague nod to GDPR’s “spirit.” That’s not good enough.
Lawmakers in Washington should pin Zuckerberg down first on what he knew and when he knew about the Cambridge Analytica debacle. Second, they should pressure him to pledge a voluntary effort to impose the new EU privacy regulations on his US operations. If he demurs, Congress should move forward with amendments to existing data privacy laws or write new ones.
Do you think the US needs to strengthen its online privacy laws?