During Facebook (FB) CEO Mark Zuckerberg’s visit to the Senate on Tuesday, the European Union’s General Data Protection Act, known as GDPR, was the elephant in the room.
The landmark legislation, going into effect on May 25, was only mentioned by name once in response to Sen. Maria Cantwell (D-Wash.) asking whether Zuckerberg believed “European regulations should be applied here in the U.S.”
Zuckerberg gracefully responded some version of no, but added that Facebook would roll out “affirmative consent” controls required in GDPR. “We’re doing that around the world,” he said, “regardless of what the regulatory outcome is.”
Anyone familiar with a 10-K, an annual report the SEC requires companies to file, knows that “risk factors” is one of the most interesting chapters in an otherwise rather dry document. In Facebook’s, it plainly references the European regulation, noting its severe penalties for non-compliance. With penalties up to 4% of global revenue, there is no doubt that neither Facebook nor its chief executive enjoys the European regulations.
Throughout his Congressional testimony on Wednesday and Thursday, lawmakers threatened Zuckerberg with a “if you don’t fix it, we’ll fix it for you” approach, with Republicans adding gravitas by reminding the CEO that in general they don’t like regulations.
A consensus has emerged in the Beltway based on the lawmakers’ shaky grasp of Facebook and the lack of a unified vision for regulation: nothing much will happen, probably.
An American GDPR is probably not coming, and Facebook can keep it away
Scott Vernick, a trial lawyer at Fox Rothschild, who deals in tech and privacy law, considers this to be a bit of a reprieve for Big Data, a moment they can have to self-regulate, which Congress showed may actually not be too late.
“The grand bargain is being re-examined — free services for your data,” Vernick told Yahoo Finance. But for the private sector, he continued, and particularly for data-rich companies and social media platforms, “they have a window now to take the initiative to get their house in order. If they don’t, I think someone else is going to do it for them.”
The companies of Big Data – Facebook, Google, Amazon, Apple, Netflix, Microsoft, to name a few – have already prepared for GDPR’s arrival, to fall in compliance with the new law. In February, Yahoo Finance spoke to GDPR experts like Lydia de la Torre, a fellow at Santa Clara University School of Law and former privacy counsel for eBay, who expressed doubt that Facebook or other companies would roll out GDPR-mandated tools for users outside of Europe.
The U.S., for example, would likely not get the tools to take control of data.
But with the Cambridge Analytica scandal rocking Facebook’s foundation, the landscape has changed enough for Zuckerberg to say over and over again to lawmakers: we’re doing some of the stuff in GDPR on our own.
Zuckerberg’s hearing notes, photographed by an AP photographer, had a few bullet points on GDPR — capped off with “(Don’t say we already do what GDPR requires)” in bold. The rest of the points were essentially what he told the government: the company would be putting in place better consent forms and will revamp the terms of service so the bargain is clear.
“There’s a real opportunity right now, not just for Facebook, but for any data-rich company generally to take the initiative,” said Vernick. “Be very aggressive and very public and transparent putting in place something like GDPR — call it GDPR lite, or whatever — so the company is controlling its destiny.”
The initiative, Vernick notes, is important. Regulation would obviously include fines for non-compliance, because why even have regulation otherwise? “Even if you don’t have fines,” Vernick said,” when the government tells you to do it, obviously that’s different.” If this move staves wards off government intervention — and helps rebuild user trust — it have been be worth it.
So when will this “GDPR lite” happen? One of the more savvy lawmakers, Rep. Jerry McNerney (D-Calif.), asked Zuckerberg to shine a little light on when exactly American users will have the “similar protections” to GDPR.
All McNerney was able to get out of the CEO was a “we’re working on it,” indicating that it probably won’t be in place when the Europeans get it next month. But with Congress watching, un-unified and on their back feet, Facebook probably won’t need to be told twice.