Facebook’s efforts to save face over its data policy may be less about responding to outrage and more because it has been forced to by European lawmakers who tackled the digital economy when the U.S. wouldn’t.
Critics have called on Facebook for more transparency — and additional regulation from Congress — since the Cambridge Analytica scandal, where a consulting firm that worked with President Trump was able to harvest the data of 50 million users, many without their consent.
Founder Mark Zuckerberg blamed old policies for the scandal, and the California-based tech giant offered its own solution this week by announcing that it will make privacy tools for users easier to find and give users a means of controlling how their data is used.
Facebook said the changes came after it heard the digital yells of its billions of users, though the measures it proposes are in line with privacy demands from the European Union that must be implemented in the coming months.
The EU’s General Data Protection Regulation, a vast and wide-reaching law about data and people’s rights online, will come into effect in late May, and affect any company that handles the data of Europeans, including those based in the U.S.
Central parts of the law for individuals include a requirement that sites such as Facebook explain what data they are collecting in clear, non-lawyer terms, the right to erase one’s data and “purpose limitation” that restricts data from being used for anything other than what it was originally collected for, such as location data on Google Maps being used only to help someone get from A to B.
Data violations were previously punishable by smaller fines, though the new law will allow authorities to wallop companies for up to 4% of global annual turnover — in Facebook’s case, more than $1 billion.
Also importantly, according to groups such as the privacy and data protection organization European Digital Rights (EDRi), it helps acknowledge a set of rights for people in the relatively lawless online world dominated by a small number of multinational companies.
“Ideally in 10 or 20 years from now all of the standards we have we’ll ask ‘How did we not have this before?’ I think that’s the next generation question, them saying ‘I heard about Cambridge Analytica in a history book, that’s crazy,’” said Diego Naranjo, a Spanish policy adviser to EDRi at its office in Brussels.
GDPR faces uncertainty about what it will look like when it is implemented and enforced by national governments in Berlin, Paris or Rome.
A common counterargument is that more regulation will stifle innovation and deter newcomers lacking the army of lawyers employed by big tech firms.
The law, which applies to governments as well as businesses, also makes a distinction for sensitive personal data, including someone’s religion, political views and health. It is not clear how precise platforms such as Facebook will be in allowing users to control the data that is the center of its business model.
The law, which applies to governments as well as businesses, makes a distinction for sensitive personal data, including someone’s religion, political views and health. It is not clear how precise platforms such as Facebook will be in allowing users to control the data that is the center of its business model.
The social media platform did not reply to a question about what the controls will look like, though said in a statement that “We’ll make sure Facebook’s products and services comply with the GDPR” and pointed to a speech from COO Sheryl Sandberg that her company would go beyond what’s required in the law.
Facebook also did not answer a question about whether it would make its entire platform compliant with the new regulation or have different standards for Europe and for users in countries such as the United States, where there is no general data law.
The Obama administration made multiple attempts for a “Consumer Privacy Bill of Rights” that fizzled in Congress, and many data issues, such as an investigation into Facebook and Cambridge Analytica, are handled by the Federal Trade Commission rather than a specific data authority like those in Europe.
“One model is the U.S. model where you don’t really have a data protection law and then the best example of a comprehensive data law is GDPR,” said Amba Kak, a policy fellow for Mozilla who is advocating for the passage of a data protection law in India.
A committee in India is currently drafting a law and looking at other countries for examples, though the leadership the U.S. has shown in creating technologies has been lacking when it comes to developing proper guidelines for the technology’s use.
Dr. Brent Mittelstadt, a researcher at the Oxford Internet Institute, said that some mixture of self-regulation and state regulation is necessary to avoid situations such as with Cambridge Analytica, where users’ data was unknowingly used for political purposes.
“You can’t take the benefits of self-regulation and simultaneously make the claim, ‘Hey we were operating within the confines of the law, sorry if you have a problem with it,’” he said.
Experts say the tougher laws may be necessary because the average person should not have to be a techie to know that their data is safe online.
“When you use the elevator you were not checking the safety regulations for people who make elevators, you were just pressing the button and going in. That should be the same thing for the rest of our technologies,” Naranjo said.