Facebook CEO Mark Zuckerberg faced one of his toughest tests yet when he was grilled by 44 senators in Capitol Hill. It came amid questions over how Russia used the social network during the US election of 2016, and how political consulting firm Cambridge Analytica was able to harvest data from 87 million Facebook profiles without most users’ consent.
But his job will get harder should the US follow the EU’s lead and install aggressive data protection legislation to empower citizens.
In an effort to harmonise such laws across the continent, the EU has prepared the EU General Data Protection Regulation (GDPR), which will come into force from 25 May 2018.
The framework would ensure internet users’ personal data is not shared without their express consent, and that organisations have thorough data protection policies and records of their activities in place, as well as a data protection officer in some cases.
They would need to guarantee that personal data is processed lawfully, transparently, and for a specific purpose until it no longer serves that aim, by which time it must be deleted.
The rules would apply to all companies that control or process data from within the bloc, regardless of where they are physically based, and it would be their responsibility to adhere to them.
The regulation represents the biggest overhaul in data protection law in Europe since 1995, and will make companies like Facebook more accountable than ever should personal data be improperly handled. Fines imposed under the new rules could amount to as much as 4% of a company’s global annual revenue.
Could the GDPR have prevented the data leak scandal?
There is little hope the 87 million Facebook users affected by the data harvest will be able to claw back their personal information from Cambridge Analytica (CA) and get justice short of launching legal action. However, a regulation as rigid as the GDPR should prevent similar data leaks from occurring on its patch.
The reason the leak was so large was because CA was able to retrieve personal data belonging to the friends of Facebook users that downloaded their quiz app — their data-harvesting tool — because it was allowed by the social network at the time: Facebook Friends’ consent was not required.
But under the GDPR, companies must have users’ permission, given via a clear affirmative action, before they can receive their personal data or override their privacy preferences.
Secondly, personal data sought by a business must be specified contractually and must be necessary for the service it provides. Aside from pooling information from users’ friends, Facebook has since confirmed that CA may have collected private messages, too. Such data was not needed for users to complete personality tests on the quiz app, and taking it would have breached GDPR rules.
The regulation also requires that companies inform the relevant data protection authority should a breach occur that risks peoples’ rights and freedoms within 72 hours of being made aware of it. Facebook has admitted that it first learnt data was being handled improperly by Aleksandr Kogan, who developed the quiz app, and CA in 2015 — two years before it was exposed publicly and brought to authorities’ attention. Under the GDPR, such an infraction would incur a penalty equal to 2% of the social network’s annual worldwide revenue ($813 million in 2017). An eye-watering amount that would likely displease shareholders and threaten 33-year-old Zuckerberg's position in the company.