Fascinating testimony by Facebook CEO Mark Zuckerberg before Congress this week, touching upon a variety of topics where social media and government potentially collide, and raising a number of interesting questions including:

– Is Facebook too powerful?

– Can Facebook (and other tech firms) be expected to regulate themselves?

– What impact should social media platforms have on elections?

– What responsibility do Facebook and other social media platforms have for data misappropriation?

– Who really controls my data?

(And, from to one Senator who had most recently dialed up the internets via a 14.4 modem, what hotel Zuckerberg stayed at the night before…)

What emerged from the testimony was the heightened sensitivity around the privacy of personal data – and Zuckerberg’s public commitment to do more. Zuckerberg indicated that Facebook is making changes now to limit advertiser access to user data. He noted they will have 20,000 people working on security and content review by end of the year, and that it is making significant investments in artificial intelligence to enable a proactive approach toward policy enforcement.

But is that enough? For some senators, clearly not. Senator Kennedy eloquently stated that “your user agreement sucks!” when describing the adequacy of Facebook’s 3,100-word Terms of Service agreement that serves to protect Facebook’s legal rights over the rights of users. Others pointed at the dependence on user action to protect privacy, or concerns that bias too frequently enters into the content review process. The fact that Zuckerberg indicated that AI solutions to inspect content will take the next 5-10 years to deploy also drew negative reaction, given that some of those same underlying technologies are in use today to personalize advertisements. And, “my team will get back to you” was heard at least a dozen times, sometimes in response to seemingly straightforward service questions.

So, is regulation of social media the only course forward?

On the other side of the argument, some senators blame a broader issue of the under-regulated technology sector as the culprit, with high tech being subjected to only 27,000 regulations versus 128,000 covering Financial Services, as noted by Bank of America Merrill Lynch. The fact that existing US privacy regulations are woefully outdated and ineffective (as noted in our earlier post) can easily lead one to the conclusion that a new round of regulations are overdue (this, of course, is beyond existing vertically specific regulations that cover the use of social media by firms in financial services, pharma, healthcare, etc.).

As to be expected, a number of bills are now before Congress in an attempt to address this, including:

• Consent Act  – requiring explicit user consent to share information
• Honest Ads Act  – promoting political ad transparency
• Browser Act  – also requiring explicit opt-in approvals and operating similar to FCC privacy rule

Zuckerberg himself said that some form of ‘sensible’ privacy regulation makes sense, and he sees that “Europe has gotten some of this right” and “GDPR is a positive step for the internet”. In particular,
Facebook claims to be supportive of requiring consent for specific data sharing features, with special consent required for emerging areas including facial recognition. However, support for specific legislation outlining GDPR-like breach notification requirements, rights to be forgotten, or complete transparency on all actions Facebook takes on user data would “depend on the details”.

“Everyone in the world deserves good privacy protection”

Post-Cambridge Analytica, Zuckerberg’s testimony has the potential of acting as a turning point in the way that individuals – and organizations – prioritize data privacy. Social media providers have the ability to step forward with greater transparency, more intuitive privacy controls, and investments in advanced technologies that identify and eradicate malicious actors. Simply posting privacy policies will no longer be sufficient in a post-GDPR world without effective, automated enforcement. The risks are real, the spotlight is shining, and the privacy laggards are likely to be left in the pile of the last generation of social media platforms.

Originally published on Actiance.com, April 12, 2018.