U.S. Markets close in 2 hrs 53 mins

Why Europe's data privacy law isn't a perfect model for policing Facebook

Akiko Fujita
Anchor/Reporter

Facebook CEO Mark Zuckerberg’s weeklong campaign for more government regulation hasn’t exactly been met with a warm embrace from lawmakers.

Since Zuckerberg published an op-ed in the Washington Post at the end of last month, calling for an “update” to the internet rules that enabled platforms like Facebook to scale, lawmakers have responded with a collective “thanks, but no thanks.”

Rhode Island Congressman David Cicilline, who chairs the House Judiciary Subcommittee on antitrust, questioned the unsolicited advice, tweeting “Mark Zuckerberg doesn’t get to make the rules anymore.”

Meanwhile, FCC Commissioner Brendan Carr questioned the Facebook chief’s motives, in an interview with Yahoo Finance.

“When large corporations ask for greater government control, it’s not an act of charity,” he said. “Larger companies have armies of regulatory lawyers and lobbyists that can work through complex heavy handed regulatory regimes. Smaller competitors can’t.”

Lawmakers appear united in their desire to crack down on big tech to safeguard against data breaches, hate speech, and disinformation, but they remain divided on the legal tools necessary to do so, especially given the mixed results in Europe so far. The General Data Protection Regulation or GDPR — a law that strengthened individual privacy protection and enforced harsh penalties on companies for data breaches — has become a type of template globally on how to regulate digital risks. But the law designed in part to reign in big tech has actually pressured their smaller competitors.

‘We cannot leave it to Facebook’

Nearly a year after GDPR’s passage, Facebook’s potential fines have topped $1 billion.

And yet, in the company’s most recent earnings report, the social media platform posted record profit. Average revenue per user actually increased in Europe.

Earlier this year, French regulators slapped Google with a roughly $57 million fine for failing to comply with GDPR. That marked the largest penalty lobbed against a U.S. firm under Europe’s new law. But that paled in comparison to the $39.8 billion revenue parent Alphabet posted in the 4th quarter.

Meanwhile, small- to medium-size companies that don’t have those deep pockets have taken a bigger hit, forced to shell out hundreds of thousands of dollars on legal fees and software fixes to be compliant, taking money away from investments intended to build out their network and better compete with their bigger counterparts.

European Competition Commissioner Margrethe Vestager, left, talks to Trade Commissioner Cecilia Malmstrom prior the weekly College of Commissioners meeting at EU headquarters in Brussels, Wednesday, Feb. 6, 2019. (AP Photo/Francisco Seco)

The European Commission says more than 95,000 complaints have been filed under GDPR, with over 41,502 data breaches reported so far. Howard Yu, LEGO professor of management and innovation at IMD Business School in Switzerland, says the real test for GDPR will come in litigation.

“In the finance industry, the reason a lot of the regulation is being followed is because there are auditors out there making sure of compliances of these regulations,” Yu said. “In the IT sector, we don’t have such a body making sure their compliance is up to par, before releasing a public statement signed off by the party. There’s no such mechanics.”

Companies found in violation of GDPR either face a maximum fine of $23 million, or in the case of more lucrative companies, 4% of their annual worldwide revenue. The hefty fine was intended to force big tech to comply with the rules, which includes self-reporting a data breach within 72 hours of it occurring. Yet, when Facebook exposed private photos from up to 6.8 million users last year, it took nearly two months for the company to disclose the breach, exposing the limits of GDPR. The mixed results so far prompted Europe’s Commissioner for Competition Margrethe Vestager to admit the continent’s laws still “have a long way to go” in a recent conversation with Recode.

“We cannot leave it to Facebook or Snapchat or anyone else,” Vestager said. “We have to take democracy back and renew it. Society is about people and not about technology.”

European regulators are forging ahead on another front — the intellectual property of content shared on internet platforms. Late last month, Parliament passed a sweeping copyrights law that said platforms are legally responsible for content posted on their sites. The most contentious provisions allow publishers to charge news aggregators like Google news for snippets displayed in stories they link to and put online platforms responsible for vetting whether content uploaded, infringes copyright.

“In the past these platforms could publish anything and republish anything,” Yu said. “What it looks like going forward is that a lot of interesting satire and memes may also be subject to this type of scrutiny. In that regard, I do have reservations because it does have something to do with how much creativity we allow in our society.”

EU member countries still have 24 months to adapt the directive into national law, but discussions in Europe have started to shift the global tide in favor of regulators. Brazil’s own Data Protection Law, modeled after GDPR, is set to take effect next year. India is expected to follow with its own vote in Parliament later this year.

And in a potential sign of things to come in the U.S., California signed a digital privacy law last year, granting consumers the right to know what data companies are collecting about them, why they’re collecting it, and who they’re sharing it with. The law takes effect next year.

“I think the days where (companies) could do whatever they wanted are over,” said James Lewis, Director of the Technology and Public Policy Program at CSIS. “This desire to have a more industry friendly law in the U.S. without blowing up privacy shield is going to be one of the biggest battles.”

If that battle ends with a new privacy regulation in the U.S., smaller tech companies may end up facing more of a compliance burden than the large tech giants like Facebook that are asking for Congress to police them.

Akiko Fujita is an anchor and reporter for Yahoo Finance. Follow her on Twitter at @AkikoFujita

More from Akiko:

Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, LinkedIn, YouTube, and reddit.