On April 10, 2018, Facebook’s CEO began his two-day testimony before Senate and House Congressional committees in a quintessential US setting but may have brought with him a groundbreaking privacy regime from across the Atlantic in the process. Mr. Zuckerberg testified: “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation.” The Net Neutrality regulations Zuckerberg may have had in mind may not be what is ultimately in store for Facebook.
By way of background, the EU’s General Data Protection Regulation (679/2016/EU) – which recognizes that the “protection of natural persons in relation to the processing of personal data is a fundamental right”, requires the implementation of an EU-wide regime of country-specific laws effective by May 25, 2018. Despite its current Brexit status, the UK has also voluntarily implemented GDPR .
The GDPR harmonizes to a great degree the privacy laws of every EU country and broadly controls the use of personal data in connection with either the offering of any goods or services to persons in the EU or the monitoring of EU-based persons. Companies must ensure that they only collect and process the minimum required personal data for the express use given under an unequivocal affirmative consent. The new consent requirements found in the GDPR bring this privacy regime to compliance levels never before seen.
Companies that collect and use personal data must now clearly explain to data subjects the exact uses made of such personal data – with evidence maintained that demonstrate related processes are compliant and followed in each individual case. Persons must also be afforded the opportunity to easily withdraw their consent to this use of personal data at any time and without suffering any detriment as a result of their request. Moreover, persons protected under the GDPR have a right to be forgotten, i.e., all their personal data deleted, and a right to reject any data profiling.
Not unlike rights under 15 U.S.C. § 1681c of the Fair Credit Reporting Act when it comes to credit information, persons will also have the right to have their personal data amended and rectified and the right to be informed as to what personal data is currently being retained or used. Unfortunately, getting Facebook to comply with these subject-access requests has previously been a difficult task. Some have argued that the right to be forgotten – which is actually now more properly termed a “right to erasure”, can only work when GDPR becomes a global privacy regime having “globally connected legislation to ensure that information stored outside of the EU also underlies similar strict privacy regulation.”
A “serious breach” of GDPR requirements may result in a fine of up to 4% of the annual worldwide revenue of the impacted company – with the minimum fine set at €20 million. Disregarding the potential lack of enforceability for this extra-jurisdictional law, companies have been prepping for the GDPR privacy regime for years. Indeed, given the potential downside, multi-national companies based in the US have not surprisingly spent millions of dollars on their GDPR compliance efforts.
Under the GDPR, the EU is for the first time in line with the US as regards data breach notification – but with a uniform and much stricter obligation to notice regulatory authorities within 72 hours of a breach. Given Alabama has recently enacted its own data breach notification law – one that requires notification within 45 days of a breach if the breach is reasonably likely to cause “substantial harm” to the individual to whom the information relates, all fifty US states now have a data breach notification law. Nevertheless, the current patchwork standard for breach notice in the US is far from uniform and certainly much less onerous than the blanket one set forth in the GDPR.
GDPR and Facebook
As set forth on its website, “Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. . . Facebook may serve as a data processor. When Facebook acts as a data processor, businesses are responsible for ensuring data they share with us complies with the GDPR.” As a data processor who employs more than 250 persons, Facebook is obliged under GDPR to keep detailed records of all of their processing activities. In other words, GDPR opens up the door to accessing Facebook’s vast data mining activities only hinted at by the recent Cambridge Analytica brouhaha.
On April 11, 2018, Mark Zuckerberg testified before the House Energy and Commerce Committee that GDPR “will be positive” and that requiring companies obtain “affirmative consent” makes sense. According to Mr. Zuckerberg, there are a few parts of GDPR that are “important and good”. For example, users should know what data companies have and users should be able to control this data. When asked if GDPR got anything wrong, however, he could not answer the question and simply said he would have to “think about it”. He was asked to provide his response to the House Energy and Commerce Committee at a later date.
GDPR, Facebook and Congress
Free-market Republicans who typically shy away from regulatory intervention gave more than passing nods to potential legislative intervention as regards Facebook. Sen. John Kennedy (R., La.) bluntly recognized that Facebook’s “user agreement sucks.” And, Senate Commerce Committee Chairman John Thune (R., S.D.) said: “I’m not convinced that Facebook’s users have the information they need to make meaningful choices.” He also said that while Washington has “been wiling to defer to tech companies effort to regulate themselves. . . this may be changing.” Mr. Kennedy was again more blunt: “There’s some impurities in the Facebook punch bowl. . . I don’t want to have to vote to regulate Facebook. But by god, I will. That depends on you.”
Not waiting for Senators Kennedy and Thune to act, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) – two longtime privacy advocates, announced on April 10, 2018 their Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act – proposed legislation requiring the Federal Trade Commission (FTC) to establish specific privacy protections “for customers of online edge providers like Facebook and Google.” Among other things, the CONSENT Act would require that these “edge providers” obtain opt-in consent from users “to use, share, or sell users’ personal information” as well as notify users about “all collection, use, and sharing of users’ personal information.” Although on its face the proposed law is not nearly as onerous as the GDPR privacy regime, there is nothing stopping the FTC from promulgating future regulations that not only include opt-in consent and use disclosures but also GDPR requirements that would never had been on the table before Mr. Zuckerberg began his unsworn testimony before Congress.
In a prior interview with the Washington Post, Senator Markey said: “I think that this [Facebook] privacy spill is politically the equivalent of the oil spill in the Gulf of Mexico. Because it involves our very democracy, I think [it] is going to draw more attention of the American public to this issue.”
GDPR, Facebook, Congress and the Monetization of Consumer Data
On the heels of recent comments from Facebook’s COO regarding the possibility Facebook might one day charge users a fee, Zuckerberg left the door open to the possibility of charging consumers for use of its social media platform. During his April 11, 2018 House testimony, Zuckerberg again denied that Facebook sells its user data, saying: “That’s not how advertising works.” A day earlier Zuckerberg repeated numerous times that Facebook did not sell consumer data – prodding Sen. John Cornyn (R-Texas) to exclaim: “You clearly rent it!” No matter how Mr. Zuckerberg perceives advertising as working or whether or not Facebook actually “sells” consumer data, one takeaway from these hearings is that perception can quickly morph into reality.
Not surprisingly, California is not waiting for the federal government to act and has percolating its own mini-GDPR. The proposed California Consumer Privacy Act of 2018 ballot initiative would give consumers the right to ask businesses what of their personal data is collected and how it’s being used. It will be voted on in November 2018 and already faces opposition from Facebook and other California companies standing to lose significant revenue because there is a private right of action under the proposed law. Given there is no “opt-in” requirement in this ballot initiative, GDPR will remain the gold standard when it comes to protecting consumer data from unregulated monetization.
Apple’s Tim Cook jumped for higher ground during Zuckerberg’s testimony and publicly said Apple – unlike Facebook, does not monetize its customers and would welcome legislative solutions. Specifically, Cook said: “The truth is, we could make a ton of money if we monetized our customer — if our customer was our product. We’ve elected not to do that.”
Apple’s perspective is either surprisingly narrow or deliberately pinched. Obviously, the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day. Accordingly if Facebook loses revenue due to legislative intervention, Apple will likely not be far behind.
There is hope for both platform providers and device manufacturers even if that happens. As recognized by the Project Director at the Georgetown Center for Business and Public Policy, “If the [internet’s] grand bargain unravels, entrepreneurs will no doubt innovate new ways to make money and continue developing disruptive products and services.”
Unbridled data consumption and privacy protection can successfully coexist when immutable and transparent data is bound by a secure and continuous unequivocal affirmative consent. In essence, user data must be treated like a protected commodity that can actually benefit the owner. Indeed, Congresswoman Debbi Dingell (R., Mi.) ended her April 11, 2018 questioning of Zuckerberg by opining that data protection was no less important than having “clean air and clear water”. A company that is able to keep “pure” a user’s data while feeding such data into various digital media ecosystems and compensating the data owner in the process will have found the middle ground previously consciously avoided by existing billion-dollar platforms.
Sometimes all it takes is one door to close for another one to open.