What America Can Learn from Europe on Privacy

If Mark Zuckerberg’s congressional hearings made anything clear, it’s that it is time for lawmakers to step up to the plate and craft more stringent regulations for platforms like Facebook. As Rep. Jan Schakowsky (D-Ill.) observed, the list of Zuckerberg’s apologies for the social media giant’s missteps is long – 2003, 2006, 2007, 2010, 2011, 2017 – and self-regulation is no longer an option. Americans deserve to know exactly who is in possession of their data and what is being done with it. Perhaps most importantly, they shouldn’t have their data mined by an organization which they haven’t personally given permission to do so.

This is not to say that Facebook – or indeed social media at large – is a completely negative force. On the contrary, it is, as Rep. Bobby Rush (D-Ill.) aptly put it, “one of the great American success stories.” Facebook raised tens of millions to help victims of the many natural disasters that occurred last fall. In 2014 alone, it pumped $100 billion into the U.S. economy. Small businesses across the country depend on Facebook to market their products and services, and millions use it to keep in touch with friends and relatives from afar. It’s an invention of unprecedented size and scope that has changed the face of the world – socially, economically and ethically.

This reality makes the work our legislators have to do particularly challenging. How to balance the amazing benefits of Facebook with a user’s right to privacy? How to keep the company accountable without completely overthrowing the ad-based business model that allows it to keep the service free? How to give users the protection they deserve while giving innovators the freedom to devise new products?

We’re charting new territory here – unsurprising, since innovation by its very nature outpaces regulation – and, as the hearings showed, many of our federal leaders have a good deal of caching up to when it comes to what social media is and how it works.

But whether or not industry or government is ready, a deadline is coming for lawmakers and industry leaders to decide how they want to enter the next era of internet innovation. On May 25, the European Union’s response to data protection – General Data Protection Regulation, which is a new series of laws designed to give citizens of the EU a greater level of control over their personal data – will go into effect. It enumerates user privacy rights, including the right to be notified before 72 hours elapse following a data breach, the right to obtain a copy of the personal data an organization has on you, the right to demand an organization erase all of your personal data and the right to transfer control of your data from one organization to another.

It also requires organizations to implement stricter privacy rules, including the appointment of a data protection officer for certain organizations and what’s known as “privacy by design,” or the incorporation of privacy from the very beginning of system development. Most significant, however, is the scale of GDPR: It not only requires companies within the EU to comply, but it expects any organization that handles the data of a EU citizen to comply – even if that organization isn’t based in the EU.

The regulation will go into effect in just a few short weeks, and companies across the globe are hurriedly getting their systems in order so as to avoid the whopping fines (4 percent of annual global turnover or €20 million, which in U.S. dollars is around $24.6 million). Facebook, it’s worth noting, also plans to comply to these standards. As federal legislators consider how best to address the privacy regulation in the weeks to come, they must decide how they will respond to GDPR – particularly as it affects U.S. industry – and whether they want to establish similar standards domestically.

But above all, legislators also must tailor it in such a way that preserves our culture of disruption and ingenuity.  Facebook’s international success is due in large part to the fact that the United States has a legal framework in which this culture can flourish, allowing tech innovators to develop better ways of working, shopping, connecting and traveling. Placing undue burdens on the tech industry would stymie this creativity. Worse, it could potentially cause us to forfeit our edge in the innovation economy. And on a practical level, we need the tech industry’s help to develop reliable privacy protection tools and design systems that protect our citizens from improper use of personal data.

It’s a fine line to walk, and it will take continued investigation and frank conversation between legislators, industry experts and the public at large. But by combining forces, we can develop a system that will protect American privacy and preserve American creativity into the 21st century and beyond.

Thomas F. Kelly is president and CEO of ID Experts, a Portland, Oregon-based provider of data breach and identity protection services including, and is a Silicon Valley serial entrepreneur and an expert in cybersecurity technologies.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult