But now, Facebook says that Cambridge Analytica may have obtained data on far more users — with about 20 percent of them estimated to live outside the United States. In a separate revelation, Facebook also had to acknowledge Wednesday that “malicious actors” were able to discover the identities and collect data on most of its 2 billion global users.
The mechanisms used by Cambridge Analytica and the “malicious actors” cited by Facebook appear to have been legal and do not constitute a data hack, but rather a deliberate exploitation of information through tools or loopholes Facebook itself provided in the past.
While tens of millions of U.S. consumers are affected in both cases, the misuse of foreign users’ data could now turn out to be the real problem for Facebook, since other countries take privacy issues more seriously than the U.S. government. At least two foreign governments, Australia and Germany, threatened or launched investigations into the practices on Thursday.
In Australia, a government watchdog organization, the Office of the Australian Information Commissioner, opened an investigation into Facebook’s practices, writing in a statement that it “will consider whether Facebook has breached the Privacy Act 1988 (Privacy Act).”
“Given the global nature of this matter, the OAIC will confer with regulatory authorities internationally,” the watchdog wrote.
Meanwhile, in India, where more than a half-million users are estimated to be affected, the allegations have resulted in a governmental request to Facebook and Cambridge Analytica for more detailed information, with a Saturday deadline.
Even though India is now Facebook’s biggest market — ahead of the United States — no Indian media outlets were able to ask questions in a conference call with CEO Mark Zuckerberg on Wednesday. The heavy U.S. focus immediately triggered criticism because privacy advocates are still looking into reports that Cambridge Analytica may have used Facebook data to influence Indian politics, as well.
But Facebook’s acknowledgments in recent weeks have triggered particularly furious reactions in a privacy-conscious Europe that has long sought ways to rein in U.S. social media and tech giants. European Union regulators have always been much tougher on the tech companies than their U.S. counterparts, for instance forcing them to give users more control, imposing fines for noncompliance and requiring platforms to spot and delete illegal content. The latest revelations could serve as a pretext to toughen existing rules further and force social media companies to implement broader changes worldwide.
That’s why two countries included in Facebook's acknowledgment on Wednesday are likely to cause the social media company a particular headache: Britain and Germany.
German justice minister Katarina Barley already called for an E.U.-wide investigation into the misuse of Facebook's data by Cambridge Analytica and other companies on Thursday.
“Facebook has gambled away people's trust,” Barley said. “There have to be clear rules for social networks.”
Even more damaging to Facebook's business model than tumbling shares may be the sort of E.U.-style regulation efforts that have been introduced here in recent years. Nevertheless, Zuckerberg applauded the European efforts in a conference call with journalists Wednesday, calling them “very positive,” in a somewhat surprising assessment.
His praise for Europe’s tough data rules — that have so far been considered detrimental to the company’s business model — may either indicate a real strategy change or an effort to calm Europe’s nervous regulators by promising eventual change. Zuckerberg has struck an unusually humble tone in recent weeks, as his company has gone through its worst crisis so far, even as critics say that the company has shied away from key issues.
“We intend to make all the same controls and settings available everywhere, not just in Europe,” Zuckerberg said on Wednesday, referring to a major new online privacy law that will take effect in May. Introduced as the General Data Protection Regulation (GDPR), the massive overhaul will force all companies operating here to tell their European users which data they have stored on them and provide them with an option to delete that information, among other changes.
While European social media skeptics have celebrated the law as almost revolutionary, Zuckerberg stopped short on Wednesday of promising the same rights to users in the United States or other countries disproportionately affected by the latest revelations, including the Philippines, Indonesia, Mexico and Canada.
“Is it going to be exactly the same format? Probably not. We need to figure out what makes sense in different markets with the different laws and different places. But — let me repeat this — we’ll make all controls and settings the same everywhere, not just in Europe,” Zuckerberg said.
Europe's tough stance on U.S. tech companies may end up benefiting users around the world if Zuckerberg follows through on his promises.
But in Europe, Germany's justice minister and others already fear that the latest regulations aren’t enough.
Annie Gowen in New Delhi contributed to this report.
More on WorldViews: