European Union regulators have long been tougher on tech companies than their U.S. counterparts, forcing these companies to give users more control, imposing fines for noncompliance, and requiring platforms to spot and delete illegal content. With such concerns now being widely discussed in the United States and other countries, including India, Europe’s skeptical stance toward Big Tech suddenly appears not to be that old-school anymore.
In Europe, recent revelations about data misuse mostly resulted in calls to speed up work on privacy regulations that was already underway.
In the United States, however, they may lead to much tougher questions: Would American Facebook users become de facto second-class members when it comes to privacy issues, if U.S. lawmakers continue to avoid regulations as foreign governments push ahead?
As Facebook chief executive Mark Zuckerberg will continue to address U.S. lawmakers on Wednesday, his best bet might essentially consist of promising American users the sort of protection the company had to grant its European users. Zuckerberg and other Facebook officials have indicated that this is at least part of their strategy in recent weeks and during his hearing on Tuesday.
“You think the Europeans had it right?” Sen. Lindsey O. Graham (R-S.C.) asked during the session, referring to E.U.-style regulations of U.S. tech companies.
The Facebook chief executive may seek to use his appearances at the Capitol Hill hearings to further portray those promised changes as a willingness to self-regulate. But the timeline of events leading up to his promise to adapt to coming European rules and to make further changes points to a different conclusion. In Europe, Facebook acted only when governmental pressure became too risky to ignore — after a political and legal struggle that dragged on for years. As Facebook faces mounting pressure in the United States, too, it’s worth keeping in mind that its privacy compromises didn’t come out of nowhere, privacy advocates here caution.
The key question is whether Zuckerberg’s promises to implement European standards worldwide are genuine or a strategy to persuade U.S. lawmakers to leave the company alone.
That is why Tuesday’s appearance was also about a cultural difference that has widened in recent years: Should the United States stick to its belief in the industry’s self-regulation, even as scandals mount? Or should it copy Europe’s approach, which has had more impact, even though critics warn of governmental overreach?
Introduced as the General Data Protection Regulation (GDPR) and set to take effect next month, the landmark European law will force all companies operating here to tell their online European users which data they have stored on them and provide them with an option to delete that information. Companies need to explicitly ask their users for consent whenever they seek to deviate from certain standards, rather than forcing them to opt out in case they realize what they have signed up for, as is often the case. Violations can result in significant fines.
The right to privacy is costly, however. The global law firm Paul Hastings has estimated that any Fortune 500 company dealing with E.U. customers will spend an average of $1 million on adjusting tech systems. (The law doesn’t target only social networks such as Facebook but also just about any company that has a website.) Critics have also blasted the legislation as too protectionist, too vague or too broad.
Some even fear the end of the open Internet’s business model. “GDPR, and calls for similar regulation in the U.S., may lead to the end of what has long been the internet’s grand bargain: the exchange of free or subsidized content for personalized advertising,” wrote Larry Downes of the Georgetown Center for Business and Public Policy.
Still, the European changes might have passed virtually unnoticed in the United States had they not coincided with revelations about the data-harvesting company Cambridge Analytica's collection of Facebook users’ personal data for political ends.
Facebook said last week that Cambridge Analytica may have obtained information on far more users — with about 20 percent of them estimated to be living outside the United States. In a separate revelation, Facebook also had to acknowledge last week that “malicious actors” discovered the identities and collected data on most of its 2 billion global users. The mechanisms used by Cambridge Analytica and the “malicious actors” cited by Facebook appear to have been legal and do not constitute a data hack but, rather, a deliberate exploitation of information through tools or loopholes that Facebook provided in the past.
Zuckerberg appeared to be prepared for some uncomfortable questions during his hearing on Tuesday. In a conference call with journalists last week, he already applauded the European efforts, calling them “very positive,” in a somewhat surprising assessment.
In an open letter, U.S. and European consumer protection groups still urged Zuckerberg to provide more “specific details on how the company plans to implement these changes.”
Zuckerberg's praise for Europe’s tough data rules — which have been considered detrimental to the company’s business model — may indicate either a real strategy change or, as some consumer protection groups fear, an effort to calm nervous lawmakers by promising eventual change that may or may not materialize.