Facebook's Zuckerberg Pledges Worldwide GDPR ComplianceSecond Congressional Hearing Probes Privacy Issues
At a U.S. House hearing Wednesday, Facebook CEO Mark Zuckerberg said the company would eventually comply worldwide with the European Union's tough privacy law, the General Data Protection Regulation.
See Also: Why CASBs Matter to Cloud Security
Earlier this month, Zuckerberg had indicated the company would comply "in spirit" worldwide but that some exceptions would be made (see: Facebook's Zuckerberg: GDPR Won't Apply Worldwide).
"Yes, all the same controls will be available around the world," Zuckerberg testified at the House hearing. "We believe everyone deserves good privacy controls."
Some of the data protections required by GDPR have been built into Facebook already and available for years, Zuckerberg said. For instance, Facebook users have had the ability to download all their data, Zuckerberg told House members. "GDPR requires us to do a few more things and we are going to extend that to the world."
Regarding whether Facebook will offer the GDPR's required "affirmative consent" in the U.S. and elsewhere, Zuckerberg said the company "will do that too," but will walk consumers through those settings differently, depending on the nation where they live.
Zuckerberg declined to give a timeline on when its controls would meet GDPR standards in the U.S. But he conceded that would not happen by the May 25 enforcement deadline for GDPR.
Second Hearing This Week
The five-hour House Commerce and Energy Committee hearing Wednesday followed another five-hour grilling of Zuckerberg on Tuesday by members of the Senate Judiciary and Commerce committees.
Zuckerberg's written testimony, like his oral testimony, was woven with apologies for the privacy breach impacting 87 million of Facebook's users that occurred when their personal information was inappropriately transferred to Cambridge Analytica.
Cambridge Analytica executives have claimed credit for propelling President Donald Trump's digital campaign (see Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
Whistleblowing by a former data scientist at the U.K.-based voter-profiling firm has raised concerns over whether Facebook allowed too much access to its rich troves of personal data.
The acting CEO of Cambridge Analytica, Alexander Tayler, annnounced Wednesday he's stepping down, noted Rep. Tony Cardenas, D-Calif. Tayler will resume his previous role as chief data officer, according to news reports.
Using Tools 'For Good'
In his opening comments, Zuckerberg told House committee members: "It's not enough to give people control of their information; we have to make sure developers they've given it to are protecting it too. Across the board, we have a responsibility to not just build tools, but to make sure those tools are used for good.
"We're in the process of investigating every app that had access to a large amount of information" before the company "locked down" its platform in 2014. "If we detect suspicious activity, we'll do a full forensic audit. And if we find that someone is improperly using data, we'll ban them and tell everyone affected."
During questioning, Zuckerberg told committee members: "The big lesson [Facebook learned] is that clearly we can't take developers word" that they're abiding by Facebook data policies, "and we need to audit."
Besides auditing apps, Facebook is deploying artificial intelligence tools to help identify fraudsters and data abusers, Zuckerberg testified.
Some lawmakers questioned whether Facebook's breach involving Cambridge Analytica and practices leading up to it violated a 20-year consent decree signed by Facebook with the Federal Trade Commission in 2011 related to company's privacy practices. Zuckerberg contended there were no violations.
Rep. Diane DeGette, D-Colo., noted that Facebook's FTC consent decree did not include a financial settlement. "FTC has no authority for financial penalties for first time violators," she said, adding that federal regulations that allow for penalties are needed.
Rep. Raul Ruiz, D-Calif., asked Zuckerberg why Facebook did not inform the FTC and users in 2015 when Facebook learned from The Guardian that Cambridge University researcher Aleksandr Kogan improperly shared Facebook user data with Cambridge Analytica. "In retrospect it was a mistake," the Facebook CEO replied. "We didn't have a legal obligation [to notify], but it would've been the right thing."
Calls for Regulation
Like their colleagues in the Senate, many House members at the hearing called for more regulatory oversight of Facebook and other social media firms. "The only way to close the trust gap is with legislation," said Rep. Mike Doyle, D-Penn.
"You're CEO of one of the biggest corporations in the world but yet almost entirely in an environment that is unregulated. ...The lanes in which you're supposed to operate are very wide and broad, unlike other industries," Cardenas told Zuckerberg.
Rep. Marsha Blackburn, R-Tenn., urged Zuckerberg to familiarize himself with the Browser Act, bipartisan privacy legislation she and other lawmakers introduced last year, which she described as "one set of rules for enforcing the ecosystem ... It's only 13 pages long; we would appreciate your help," she told Zuckerberg.
"You're the guy to fix this. We're not. You need to save your ship."
Rep. Billy Long, R-Louisiana, summed up the sentiments expressed by some of his House colleagues contemplating new regulations as a result of the Facebook privacy controversy.
"If you don't remember anything else from this hearing," he warned Zuckerberg, "we're getting ready to overreact - so I would suggest you go home and review all the things people have accused you of today, and get your team behind you. You're the guy to fix this. We're not. You need to save your ship."