Data Privacy

Some Experts Caution Against New Rules in Wake of Cambridge Analytica Scandal

Panelists characterized forthcoming EU rules as potential regulatory overreach

General Data Protection Regulation (GDPR) on keyboard button

The Cambridge Analytica scandal that prompted Facebook Inc. Chief Executive Mark Zuckerberg to testify before lawmakers last week should not necessarily warrant additional privacy regulations, according to a panel of experts at a Technology Policy Institute event Monday.

Panelists suggested that imposing regulations in response to the recent scandal is not the answer, saying that more rules could have the unintended consequence of helping large companies that are better suited to deal with new requirements, at the expense of smaller firms.

The Technology Policy Institute is supported by a variety of tech groups, including Amazon.com Inc., Facebook and the Charles Koch Foundation.

One example that panelists characterized as potential regulatory overreach is the European Union’s General Data Protection Regulation, a set of requirements regarding how companies and online platforms collect personal information from EU residents. The rules, set to take effect on May 25, require companies to adhere to strict guidelines regarding how they inform consumers about data-collection efforts.

Zuckerberg told lawmakers on Capitol Hill that Facebook plans to extend the GDPR requirements “around the world.”

Adam Thierer, a senior research fellow with the Technology Policy Program at George Mason University’s Mercatus Center who spoke at Monday’s panel discussion, didn’t seem to share Zuckerberg’s viewpoint.

“We have a lot to learn from Europe on this front, but not the ways the Europeans want us to learn it,” Thierer said. “At some point, there are only so many firms that can sort of pay the pound of flesh to the regulators when it comes to thinking about things like new types of data restrictions and algorithmic controls or auditing or transparency requirements or GDPR-type things, or hate speech filtering requirements.”

Several lawmakers have called for regulations to protect consumers’ personal data following the Cambridge Analytica revelations. Democratic Sens. Ed Markey (Mass.) and Richard Blumenthal (Conn.) introduced legislation that would place restraints on the types of data that edge providers like Facebook can collect from users, including a provision that would require opt-in consent from users before platforms can use, share or sell consumers’ data.

Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) said they plan to introduce bipartisan legislation that would protect consumers’ online data by ensuring digital platforms are compliant with a variety of privacy policies to protect users, including strengthening responses following data breaches.

Panelists agreed that the use of consumer data to help target advertising is a common aspect of free social media platforms such as Facebook and Twitter Inc., and suggested that the Cambridge Analytica revelations and congressional hearings only served to underscore how these sites have long operated.

“There is a heightened awareness, I think, that’s happened in the public as to the types of data that are out there, given all of the press and attention to this,” said Stuart Ingis, chairman of law firm Venable LLP, which regularly defends companies involved in investigations with the Federal Trade Commission and state consumer protection authorities.

Zuckerberg testified in both the House and Senate to discuss Facebook user privacy and Russian election meddling efforts on the platform during the 2016 presidential election. His testimony followed revelations that political data firm Cambridge Analytica improperly harvested the personal information of up to 87 million Facebook users.

“What’s at issue here is not sensitive data,” said panelist Howard Beales, a professor of strategic management and public policy at George Washington University who served as the director of the Federal Trade Commission’s Bureau of Consumer Protection from 2001-2004.

“This is a breach without any significant adverse consequences to the information these people shared,” Beales said. “And I think that is an essential point to keep this in perspective, that this is not information harmful to consumers. It is information about consumers, and has been widely used in a variety of contexts.”