The problem is lax privacy rules; Facebook is merely the symptom
As recently as 2010, Mark Zuckerberg, the founder and CEO of Facebook, believed that privacy was no longer a “social norm.” But over the past few weeks — and not a moment too soon — he and his colleagues have learned that privacy still matters to individuals and society.
Revelations about how Cambridge Analytica, a political consulting firm that worked for Donald Trump’s campaign, amassed data about more than 50 million Facebook users without their consent has forced the social media company to tell anyone who will listen that it takes privacy very seriously. Last week, Facebook said it was simplifying and centralizing privacy settings, making it easier for its more than 2 billion users to change how much personal information they share. That was an important and necessary change, but what we have learned about the data collection practices of social media firms, advertisers, political campaigns, online publishers and other groups suggests that company-specific changes like Facebook’s will be insufficient. What is needed is for Congress to adopt rigorous and comprehensive privacy laws.
The technology and advertising industries have long resisted such rules, and neither this Congress nor the Trump administration has shown any interest in privacy. But someday, new politicians will be in charge, and now is as good a time as any to begin a serious examination of how American privacy regulations can be strengthened.
There’s no need to start from scratch. In 2012, President Barack Obama proposed a privacy bill of rights that included many ideas for giving people more control over their information, making data collection more transparent and putting limits on what business can do with the information collected. The bill of rights fizzled out when Congress showed little appetite for it. But the European Union has used a similar approach in developing its General Data Protection Regulation, which goes into effect May 25.
The new European rules are not perfect — they include the right to be forgotten, which allows people to ask companies to delete personal information that they no longer wish to share. That could be implemented in ways that limit free speech. But the Europeans have made progress toward addressing some of the problems that have recently been highlighted in the United States. For instance, their laws require companies to seek consent before collecting sensitive personal information, to make the request understandable, and to give users an easy way to opt in to sharing such data (rather than forcing them to opt out). Further, companies that want to collect data about Europeans will have to be upfront about how they use personal data, and they cannot collect more information than they need to provide the services they are offering.
Today, it is standard procedure for many companies to vacuum up as much data as they can by getting users to agree to long, impenetrable terms of service. Recently, some Facebook users discovered that the company’s Android app had been logging metadata from every incoming and outgoing phone call and text message, in some cases for years. The company said users had consented to sharing this information, and that doing so “helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook.” That statement is positively Orwellian. It’s hard to believe that many people would have given the company access to so much personal data if they actually understood what they were agreeing to.
The new European regulation will also let people access their own data, transfer their information from one business to others that provide a similar service and delete it altogether under certain circumstances. Companies will have to notify customers within 72 hours if they become aware of a breach of personal information.
Many businesses will struggle to comply with the European Union’s new rules, and officials in member countries will have a hard time enforcing it consistently. “We will have a learning curve,” said Isabelle Falque-pierrotin, who heads France’s privacy regulator, the Commission Nationale de l’informatique et des Libertés. “We will have to adjust.”
But it is increasingly clear that businesses will figure out how to live with and make money under tougher privacy rules. Some companies are also planning to apply some or all of the data protection requirements to all of their customers, not just Europeans. And other countries have or are considering adopting similar rules.
Throughout history, meatpackers, credit card companies, automakers and other businesses resisted regulations, arguing they would be ruined by them. Yet, regulations have actually benefited many industries by boosting demand for products that consumers know meet certain standards.
Facebook and other internet companies fear privacy regulations, but they ought not to. Strong rules could be good for them as well as for consumers.