Image of man making judgement and holding up a red card showing the difficulty of regulating privacy as shown by the Facebook Cambridge Analytica case
Facebook Cambridge Analytica Case Shows the Difficulty of Regulating Privacy

Facebook Cambridge Analytica Case Shows the Difficulty of Regulating Privacy

The arrival of Facebook CEO Mark Zuckerberg in Washington for two days of Congressional testimony in mid-April was supposed to establish a national debate about data privacy and the right of users to protect their data from being sold, used, or analyzed in ways that were never intended. And while legislators in both the House and Senate were able to ask important questions to Zuckerberg, it has become very clear that regulating privacy is harder than anyone originally expected.

In order to regulate Facebook, you have to know how it works

For one, the Congressional committees that were grilling Mark Zuckerberg on live TV showed that they had a very limited grasp of exactly how Facebook worked. In fact, their inability to understand the Facebook advertising model soon became the basis of jokes by late night comedians in the United States. (In some questions, Zuckerberg was even referred to as “Zuckerman.”) And many top Republicans who were asking the tough questions tried to make the hearings more about censorship of political views rather than about data privacy.

In many ways, however, the confusion of how to regulate Facebook should not be surprising. While everybody knows that Facebook is a “social network,” there are not many people who view “social networking” as an industry, the way you might view the banking sector as an industry, the telecommunications sector as an industry, or the oil and gas sector as an industry. Thus, there is no established template for how to regulate Facebook. Just as members of Congress have struggled with notions like Net Neutrality, they are now struggling with notions like Data Privacy.

Past attempts to regulate privacy have proven ineffective

The United States is unique in that there is no overarching privacy legislation that recognizes privacy as a right, or that describes exactly what types of rights people have when it comes to their data. Not that there haven’t been attempts in the past to create just such a broad, sweeping piece of legislation that would consider privacy. For example, during the Obama administration, efforts were made to push forward a “Privacy Bill of Rights” that would have explained exactly what types of privacy rights U.S. citizens had.

But all of these previous efforts have floundered, and the model today is one of self-regulation. Essentially, the largest Internet companies – Facebook, Twitter, Google – all agree to make changes to their internal policies to protect the privacy rights of their users, and by so doing, avoid the heavy hand of the U.S. government.

Up until the 2016 U.S. presidential election, that type of strategy seemed to be working. While there were missteps along the way – such as Facebook’s intermittent run-ins with the Federal Trade Commission (FTC) over its data practices, these were all handled without the need to introduce new legislation. Back in 2011, for example, Facebook had to sign a consent degree, saying that it would not allow user data to fall into the hands of third parties without the consent of users.

Potential models from other countries

Some Internet pundits have suggested that there might be a model for regulating Facebook from other nations. Most notably, the example of the European General Data Protection Regulation (GDPR) has started to gain traction in mainstream circles. The GDPR, set to go into effect in May 2018, would seem to offer a sweeping new way to regulate personal privacy. While the legislation was created with European citizens in mind, the legislation is so sweeping and so comprehensive that it involves any company, anywhere in the world, that collects data on European citizens.

Thus, a company like Facebook – which obviously has a large European presence – would seem to fall under the purview of the GDPR. That might explain, to a large degree, why Facebook has suddenly become so willing to step up its self-regulation efforts. Prior to 2018, the Silicon Valley company had been lobbying against any regulation of any kind. But now, the writing is on the wall. Failure to self-regulate now could have potentially drastic implications for the company, such as being swept up in a more draconian U.S. version of the GDPR.

In past testimony and interviews, CEO Mark Zuckerberg has referenced examples from other countries. Most notably, he has mentioned the very strict “hate speech” regulations in Germany, where any hate speech must be pulled down within 24 hours. That has obvious implications for Facebook, where any form of “hate speech” on the social network by German users is of particular concern.

The role of technology in any regulation of privacy

One solution proposed by Facebook has been the use of artificial intelligence to spot nuanced hate speech and bullying online. Those same AI solutions, theoretically, could be applied to any attempt by foreign actors to amplify divisive political views, or to spread disinformation, as was taken to be the case during the 2016 U.S. presidential election. AI tools are becoming more and more sophisticated, and it is entirely possible that machines may be more effective than people in spotting things that shouldn’t be posted on Facebook.

That might be why Washington legislators have been trying to turn the debate over “data privacy” to one over “political censorship” and “election meddling.” It is certainly much easier to “clean up” Facebook than it is to figure out how user data is actually being used and collected. And it is much easier to kick the can down the road and assume that a new technology such as AI will take care of all the heavy lifting.

Congressional hearings on #CambridgeAnalytica case showed limited understanding on how to regulate #privacy.Click to Tweet

One thing is clear – both the public and the Washington politicians need to keep up the pressure on Facebook. They need to be clear that, this time, a simple promise to do better is not going to be enough. If Facebook does not go along with a massive revamp of data privacy, then there are really only two options – massive fines that target the ability of Facebook to continue as a viable business entity, or the adoption of very strict legislation that goes far beyond anything that has been yet proposed. Faced with those two options, it’s easy to see why Facebook has been scrambling to get out in front of the debate and show its best intentions to self-regulate.