A string of data privacy scandals has heightened the likelihood of regulation on internet companies, with lawmakers and executives concerned about finding the elusive spot on the supervisory dial that protects public information without squelching technological entrepreneurship and innovation.
Last week, both the U.S. Senate and House of Representatives held hearings with Facebook Inc. CEO Mark Zuckerberg, asking about the company's improper sharing of user data with third parties as well as the social media giant's role in enabling foreign actors to meddle in the 2016 U.S. election. During the two congressional hearings, both Zuckerberg and lawmakers signaled some interest in developing stronger regulations and consumer privacy protections for social media companies. But they and other industry observers remain torn over whether the government is able to determine the right level of intervention needed.
"My position is not that there should be no regulation," Zuckerberg said during a hearing in front of the U.S. Senate Judiciary and Commerce committees, adding, "I think the real question, as the internet becomes more important in people's lives, is what is the right regulation."
The EU vs. the U.S.
One possible solution that some U.S. lawmakers seem to be considering is replicating the European Union's new General Data Protection Regulation. The GDPR is a new series of rules and privacy laws designed to strengthen the protections around how EU citizens' data is collected, stored and managed. The rules, set to go into effect on May 25, require a company to obtain unambiguous affirmative consent from a user before collecting or processing the user's personal data. Among other provisions, the rules also require a company to alert users of certain types of data breaches within 72 hours of learning of the occurrence and to incorporate privacy-by-design when developing new services, considering privacy and data protection compliance from the project's start.
These EU rules are far more restrictive than the online privacy regime currently enforced in the U.S. by the Federal Trade Commission. While the EU has a fairly broad definition of what constitutes "personal data" — including a person's name, photo, posts on social networking websites and IP address — the FTC framework focuses more narrowly on "sensitive data," such as geolocation information, children's information, health information, financial information and social security numbers. In general, rather than requiring opt-in approval for most types of online data collection, the FTC relies more heavily on an opt-out approach.
The FTC said in March it would investigate Facebook's data privacy practices and is reportedly looking into whether the sharing of information with a third party violated a previous consent decree between the FTC and Facebook. If found in violation of the decree, Facebook could face significant fines.
In an interview, Eric Goldman, a law professor at Santa Clara University, said the real question is "How do we dial up or down the regulation to cover the situation where we want to encourage a really robust app developer community but we don't want them going in and misusing data?"
Speaking at an April 5 event, FTC Commissioner Terrell McSweeny said the agency needs "stronger tools."
"I think [the issue] underscores that the FTC is not strong enough … to be the kind of consumer protection agency that is required for a moment in which we are connecting every part of our lives to the internet," she said.
During the April 10 Senate committee hearing, Sen. Maria Cantwell, D-Wash., asked Zuckerberg directly whether he personally thought the GDPR should be implemented in the U.S.
"I think everyone in the world deserves good privacy protection," Zuckerberg said, adding that regardless of whether similar rules are implemented in the U.S., "We're committed to rolling out the controls and the affirmative consent … that are required in GDPR. We're doing that around the world."
Zuckerberg reiterated that commitment on April 11 before the House Energy and Commerce Committee, though when asked about some of the specific requirements under the regulation by Rep. Gene Green, D-Texas, he said his staff would have to follow up with the congressman after the hearing.
In an interview, Pivotal Research Group analyst Brian Wieser, who follows internet advertising companies closely, said that he sees the voluntary implementation of the GDPR as "not the only solution, but a solution" to some of the privacy scandals that have plagued Facebook of late.
While these protections "would probably hurt the business in the short term" in terms of revenue, Wieser said, he believes they could help ensure the company's long-term brand and position. Wieser, however, noted it would be difficult to get enough votes for such a measure in the U.S.
"Is the will there right now? I don't know. In Europe, it is," he said.
Risk of overregulation or inaction
Some lawmakers, in fact, have indicated they would be skeptical about any new legislation around this issue.
"Whenever a controversy like this arises, there's always the danger that Congress' response will be to step in and overregulate," Sen. Orrin Hatch, R-Utah, said during the April 10 hearing.
Tusk Holdings CEO Bradley Tusk, a venture capitalist and political strategist whose venture capitalist firm works with and invests in high-growth startups facing political and regulatory challenges, also worries about the danger of overregulation.
Tusk said that while he would not be surprised to see lawmakers adopt all or portions of the GDPR, the broader problem is that the tech sector might become more of a target for policymakers looking to win favor with constituents.
"They might say, 'We can't trust any company out of the tech sector because look what they do: they sell your data, they give it to the Russians, they put everything at risk and they're dishonest,'" Tusk said, adding that while he sees this as a "totally false argument," he also sees how it might have political appeal.
"People will easily conflate what's happening with Facebook with tech generally even though Facebook has as much in common with a startup as the Yankees have in common with my son's little league team," Tusk said.
While overregulation is a potential risk, others note there is also a risk to doing nothing.
Michael Connor, executive director of Open MIC, a nonprofit organization that works with investors on media and technology issues, said that though he does not endorse imposing specific pieces of legislation and regulation on Facebook and other similar companies, some "base level" rules should be present.
"Responsible companies with a long-term view can coalesce around certain industry standards," Connor said.

