How lawmakers are emphasizing data protection amid Facebook’s Cambridge Analytica crisis

The recent revelation that data firm Cambridge Analytica harvested data from 50 million Facebook users has sparked not only a backlash against the social media platform, but ongoing calls around the world for increased data protection.

Facebook CEO Mark Zuckerberg has come under fire in recent days, as the Cambridge Analytica scandal has spurred a #DeleteFacebook movement and made users question the amount of data the company collects. According to the New York Times, Cambridge Analytica, which was hired by Donald Trump’s political campaign, was able to gain access to information on Facebook users’ identities, friend networks, “likes” and location. Outrage has also grown amid the scandal as many learned for the first time that Facebook also collects phone data.

“This was a breach of trust, and I’m sorry we didn’t do more at the time. We’re now taking steps to ensure this doesn’t happen again,” Zuckerberg wrote in full-page ads that the CEO took out in U.S. and United Kingdom-based newspapers. “I promise to do better for you.”

Cambridge Analytica’s data collection efforts haven’t been the only scandal Facebook has faced since the 2016 election. The social media company has also come under fire for the proliferation of false information and Russian propaganda published on the social network during the presidential campaign.

Americans’ trust in Facebook has plummeted. According to a Reuters poll released Sunday, less than half of Americans trust Facebook “to obey laws that protect your personal information.” Thirteen percent of respondents said they trusted Facebook “a lot” and 28% said they trusted the company “a little,” as compared with 24% who said they do not trust it very much and 27% who said they don’t trust Facebook at all. The poll, which was conducted after the Cambridge Analytica report was released, revealed that Americans had more trust in other companies: 53% said they trusted Apple either a lot or a little to uphold the same protections, and 62% trusted Google.

“People are upset that their data may have been used to secretly influence 2016 voters,” Alessandro Acquisti, a professor of information technology and public policy at Carnegie Mellon University, told the New York Times. “If your personal information can help sway elections, which affects everyone’s life and societal well-being, maybe privacy does matter after all.”

Distrust in Facebook isn’t just limited to America. German newspaper Bild am Sonntag conducted a survey that found 60% of respondents believe “Facebook and other social networks are having a negative impact on democracy.” The Cambridge Analytica scandal extends beyond the U.S.; according to Channel 4, the company’s leaders boasted that the British firm had played a role in more than 200 elections worldwide, including the Leave campaign for Brexit in the U.K.

As a result of this public distrust, lawmakers on both sides of the Atlantic have been addressing the scandal and broader data protection efforts — and though the European efforts may be directed toward its own citizens, their legislation is set to have effects in the U.S. as well.

U.S. efforts

Lawmakers in Washington have been quick to speak out against Facebook’s policies. Democratic Sen. Mark Warner called Sunday for Zuckerberg to testify in front of Congress, echoing a comment made by Sen. Amy Klobuchar (D-Minn.) on Twitter.

“There are solutions, and what I invite Mr. Zuckerburg and others is come help work with us. Congress is not always at the best in terms of cutting-edge technology, they need to work with us so we can try to get it right,” Warner said Sunday on Meet the Press. “I don’t want to out-regulate these companies into oblivion, but I do think people need to have the ability to know whether information they’re receiving is honest, truthful and at least originates in this country.”

On Monday. the Federal Trade Commission confirmed that it had opened a non-public investigation into the social network, noting in a statement that the agency “takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook.” In 2011, the FTC and Facebook reached a settlement over charges concerning the social media company’s privacy practices, which former federal officials cited by the Washington Post speculated Facebook may have violated through Cambridge Analytica’s data collection.

Meanwhile, on Monday 37 attorneys general from states and territories around the U.S. sent a letter to Zuckerberg asking when Facebook learned about the Cambridge Analytica privacy breach, how the social media company monitors what developers do with the data they collect and about the company’s ongoing privacy efforts. Attorneys general in several states, including Massachusetts, Connecticut, Pennsylvania and New York, have also specifically announced that they will launch investigations into Cambridge Analytica.

“Companies that control huge amounts of personal data have a legal obligation to guard against theft and misuse of that information,” Massachusetts Attorney General Maura Healy said. “We are investigating to find out how and why this data was shared by Facebook and whether the appropriate steps were taken to protect it against misuse and manipulation.”

It remains to be seen, however, what changes lawmakers will ultimately make concerning data collection. Analysts cited by the New York Times predicted over the weekend that in addition to Congressional hearings, internet companies will likely “accept a few more rules and work a little harder for transparency.” Congressional action will likely to take the form of laws that specifically target certain sectors, such as political advertising, they said.

European efforts

In Europe, lawmakers are taking more concrete action to curb unfettered data collection by companies whose services are used by Europeans. Data privacy is more heavily regulated in Europe to begin with; European users can submit requests to Google to have certain search results removed, for instance, and can also ask companies to send them what data the company holds on them and how it’s used.

“We’re at an inflection point, when the great wave of optimism about tech is giving way to growing alarm,” Heather Grabbe, director of the Open Society European Policy Institute, told the New York Times. “This is the moment when Europeans turn to the state for protection and answers, and are less likely than Americans to rely on the market to sort out imbalances.”

U.K. Digital, Culture and Media Secretary Matt Hancock has called for the U.K. to direct tech companies, including Facebook and Google parent company Alphabet, to simplify their data management policies and provide users with clear terms and conditions on data usage. The U.K. Parliament is also considering a data protection law that would fine companies for mishandling user data, and has asked Zuckerberg to testify about Facebook’s data practices.

In Germany, Justice Minister Katarina Barley has called for a meeting with Facebook’s management in the European Union, in which she will demand they offer concrete solutions on data security.

Data protection changes throughout Europe were already set to take place in the coming months, however, as the E.U. prepares to implement the General Data Protection Regulation. The new regulations, which were first approved two years ago and will take effect May 25, will strengthen the E.U.’s prior data protection laws and impose hefty fines — either 20 million euros or 4% of a company’s annual global turnover, whichever is greater — on companies who violate its rules.

Under the GDPR, companies that serve E.U.-based consumers — even if they’re not based in the E.U. — will be required to write out consent forms in plain language, as well as make it easier for users to give and withdraw their consent to let companies collect and use data. Data breaches that might cause “risk to the rights and freedoms” of E.U. users must be reported to government authorities within 72 hours, as well as to users themselves if there’s a “high risk” to property and privacy rights, Forbes noted.

U.S.-based businesses with a reach in the E.U. will be required to comply with the new regulations. Though the law doesn’t contain any legal protections for those outside the E.U., it could be a way for American users to gain additional privacy protections. Experts note that the new regulations could provide a framework for the U.S. to adopt its own privacy laws.

“With the new European law, regulators for the first time have real enforcement tools,” Jeffrey Chester, executive director of the Center for Digital Democracy, told the New York Times. “We now have a way to hold these companies accountable.”

Even if the U.S. doesn’t adopt its own laws, the GDPR’s benefits could still extend to American users. An analysis of the new policy in the scholarly journal Information and Communications Technology Law notes that the regulations would extend the “regulatory landscape” by “benefiting businesses and recommending protection of personal data by both the E.U.- and non-E.U.-based companies and both inside and outside the E.U. in the digital single market.”

Many companies forced to comply with the GDPR will likely implement changes globally, rather than create multiple different systems for various regions.

“GDPR is going to introduce very fundamental changes to the way the internet works for everyone,” Doug Kramer, general counsel of CloudFlare, told the Times.

There is already evidence that these changes will have some sort of global reach. Facebook’s deputy chief privacy officer Rob Berman told Wired that “everyone on Facebook will see improvements to their tools and privacy controls this year,” and the company already launched a new global privacy center online.

According to the New York Times, other companies have also implemented global changes leading up to GDPR taking effect. Google, for example, is asking users worldwide about what data they want to share with its various products.

“For those of us who hold out no hope that our government will stand up for our rights, we are grateful to Europe,” Siva Vaidhyanathan, a professor at the University of Virginia who studies technology and intellectual property, told the New York Times. “I have great hopes that GDPR will serve as a model for ensuring that citizens have dignity and autonomy in the digital economy. I wish we had the forethought to stand up for the citizen’s rights in 1998 (the start of Google), but I’ll settle for 2018.”