Facebook CEO Mark Zuckerberg’s testimony before Congress last week highlighted the burgeoning importance of digital privacy in the minds of legislators and the American public. It may also mark the beginning of a long-overdue privacy awakening in our country.
Now is the right time for the U.S. government to acknowledge and defend American’s privacy rights by developing a comprehensive framework of legal protections.
The European Union has long embraced privacy in a much more thorough manner than the U.S. has. Global companies, including Facebook, have spent the last two years preparing for a new privacy regime scheduled to arrive in Europe on May 25. The General Data Protection Regulation (GDPR) will implement a 21st century digital bill of rights for EU residents by updating privacy regulations that first went into effect in 1995.
The GDPR applies to all personal information collected about EU residents, requiring that companies notify individuals of the types of information they collect and the ways they will use and share that information. The new regulation also provides individuals with the right to examine the data an organization has collected about them, the right to request the erasure of that information, and the right to withdraw their consent at any time.
The GDPR is more than just a fanciful set of ideals—it’s a regulation with serious teeth. Companies convicted of significant privacy violations under the GDPR face substantial fines, ranging up to €20 million or 4% of worldwide revenue, whichever is greater. Facebook generated $40 billion in revenue last year. If it were fined the maximum amount under the GDPR, it would result in a $1.6 billion penalty. That’s an amount certain to pique the interest of any CEO or corporate director.
The corporate world was already awaiting next month’s launch of the GDPR with bated breath; the Facebook controversy only ratcheted up the tension. Corporate privacy and security specialists want to see how the EU regulators enforce and interpret provisions of the new regulation. Regulators are aware of this corporate scrutiny and are likely eager to demonstrate that they are serious by quickly initiating a GDPR investigation of a major company. The first eight- or nine-figure fine levied against a multinational company will send shockwaves through boardrooms around the world.
During Tuesday’s hearing, the subject of the GDPR came up obliquely. When asked by Sen. Lindsey Graham whether Facebook would “welcome regulation,” Zuckerberg responded, “I think, if it’s the right regulation, then yes.” Graham followed up with “You think the Europeans had it right?” to which Zuckerberg chuckled and replied, “I think they get things right.” A few minutes later, however, we received some unexpected insight into Facebook’s current GDPR compliance status when a photojournalist snapped a shot of Zuckerberg’s talking points, which warned him in boldface, “Don’t say we already do what GDPR requires.” That photo surely caught the attention of European regulators.
America, on the other hand, lacks the comprehensive privacy framework that European regulators have had in place for over two decades. Instead, we’ve approached privacy regulation in a patchwork manner by adopting rules that apply to specific industries and specific types of information. Health care providers and insurers must comply with the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). Financial institutions must protect customer information in accordance with the Gramm-Leach-Bliley Act (GLBA). Companies interacting with children online must comply with the Children’s Online Privacy Protection Act (COPPA), while educational institutions are subject to the Family Educational Rights and Privacy Act (FERPA).
The problem with this patchwork of laws is that it contains enormous loopholes. There is, for example, no law that protects the information that social media companies collect from individuals. Facebook, Google, and Twitter may all use their apps to collect information about the online activities and even the physical locations of individuals without any regulatory oversight. While you might think that HIPAA privacy regulations prevent these firms from collecting and sharing individual health information, that’s not the case. HIPAA only applies to health care providers, insurers, and organizations that obtain information from those sources. Facebook and other technology companies fall right through that loophole.
Privacy experts and the media are already raising questions about GDPR-style regulations in the U.S. When reporters questioned Zuckerberg about his views on GDPR last week, he acknowledged that “regulations like this are very positive” and went on to say that Facebook plans to “make all the same controls available everywhere, not just in Europe.” If Facebook does voluntarily adopt GDPR standards worldwide, it would be a major advance in the company’s privacy posture.
However, that won’t be enough to protect Americans’ data.
While Facebook may agree to follow GDPR regulations worldwide, that doesn’t mean that those regulations will have the same teeth in the U.S. that they will have in Europe. Without a legal framework in the U.S., the consequences of failing to protect the privacy of American citizens will likely pale in comparison to the consequences of similar failures that take place in the EU. Additionally, Facebook’s voluntary actions won’t govern the activities of the thousands of other companies that store, process, and transmit sensitive personal information with no oversight.
The time has come for our country to get serious about digital privacy. We need clear and comprehensive regulations governing how organizations may collect, store, and process personal information. Our colleagues in Europe have taken this issue seriously for more than two decades, and we should now look to them for guidance in how we can do the same in the U.S.
Mike Chapple is an associate teaching professor of information technology, analytics, and operations at the University of Notre Dame’s Mendoza College of Business, where he specializes in cybersecurity and privacy issues.