Mark Zuckerberg and Europe’s GDPR

In his testimonies on Capitol Hill, Facebook’s founder and CEO almost appeared to be the biggest supporter of the new European data and privacy regulation. But…

At one point yesterday, GDPR was trending on Twitter with over 22,700 tweets.

The day before, Margaritis Schinas, chief spokesperson of the European Commission in Brussels, wrote on Twitter: “The many Europeans following #Zuckerberg Senate testimony tonight will certainly feel proud of our Union.”

Zuckerberg’s testimony live_Minute by minute, what Facebook’s founder and CEO is telling US lawmakers in Washington DC._hackernoon.com

GDPR stands for General Data Protection Regulation, about to enter into force in the European Union at the end of May. GDPR will have a significant effect on how Internet businesses operate in Europe, no matter if they are located or not within one the the EU’s member states.

WIRED even writes “Once mocked, Europe’s new data protection has become a source of transatlantic envy.” “When GDPR was first passed, US commentators dismissed it as a piece of jealous protectionism,” Rowland Manthorpe explains, citing a recent editorial in The New York Times now calling for similar rules.

“The new European rules are not perfect — they include the so-called right to be forgotten, which allows people to ask companies to delete personal information that they no longer wish to share,” the editorial reads. “But the Europeans have made progress toward addressing some of the problems that have recently been highlighted in the United States.”

Tuesday, during Zuckerberg testimony in the Senate, Alexandria Ocasio-Cortez, 2018 Democratic Candidate for US Congress, even called for a US GDPR.

So, why GDPR was so prominent in Zuckerberg testimonies and why so many questions about it?

It all started with a photo that got a great deal of attention during the past few days. It shows the notes provided to Mark Zuckerberg by his legal and public policy team, some of them accompanying him to both hearings Tuesday and Wednesday: General Counsel Colin Stretch, Joel Kaplan, Vice President for US Public Policy; Erin Egan, Chief Privacy Officer; Myriah Jordan, public policy director for congressional affairs; Pearl Del Rosario, Associate General Counsel for Compliance; and Brian Rice, director of public policy.

Via Stefan Becket on Twitter

The notes include talking points on a plethora of topics and issues, including Russian interference and election integrity, diversity, competition, and privacy… And even Facebook’s reaction to comments by Apple’s Tim Cook on the company business model and leadership.

In the notes, when it comes to privacy, the new European GDPR regulation is quite prominent.

The notes advise Zuckerberg: “don’t say we already do what GDPR requires.”

Via Greg McNeal on Twitter

They also mentions a few speaking points to be used in the two testimonies:

• People deserve good privacy tools and controls wherever they live.
• We build everything to be transparent and give people control.
• GDPR does a few things: (a) Provides control over data use — what we’ve done for a few years; (b) Requires consent — done a little bit, now doing more in Europe and around the world; (c) Get special consent for sensitive things e.g. facial recognition.
• Support privacy legislation that is practical, puts people in control and allows for innovation.

The notes served Zuckerberg well on many occasions, as Senators and Congressmen asked him about GDPR.

For example, during the US House Energy and Commerce Committee hearing, when Rep. Scott Peters asked: What the Europeans got right with the GDPR?

Zuckerberg answered: “I think the GDPR in general is going to be a very positive step for the Internet. It codifies — a lot of the things in there are things we have already done for a long time; some other things that I think would be good steps for us to take. For example, the controls that this requires are generally privacy controls that we’ve offered for years. Putting the tools in front of people repeatedly, not just having them in settings, but putting them in front of people and making sure that people understand what the controls are and that they get affirmative consent. I think that’s a good thing to do that we’ve done periodically in the past. I think it makes sense to do more. And I think it’s something GDPR will require us to do and it will be positive.”

Rep. Peters then asks: Anything wrong the Europeans have done?

Zuckerberg, after a long pose: “I need to think about that more.”

Shortly after, Rep. Ryan Costello also asked about about Europe’s GDPR: “What pieces of that do you feel would be properly placed on American jurisprudence; in other words, right to erasure, right to get are data back, right to rectify… Can you share how you see that playing out, not just for you but also for smaller companies?”

Same answer from Zuckerberg: “There a few parts of GDPR that I think are important and good.”

He mentioned three important pieces, and the last one is where he was able to add another talking point on Facebook’s views on the new European regulation:

• “One is making sure that people have control over how each piece of information that they share is used — people should have the ability to know what a company knows about them, to control and have a setting about who can see it, and to be able to delete it whenever they want;”
• “the second set of things making sure that people actually understand what tools are available — not just having them in some setting page, but put them in front of people so that they can make a decision. That both build trust and makes their experiences configured in a way that they want. That is something that we’ve done a number of times over the years at Facebook, but with GDPR we will now be doing even more and around the whole world;”
• “the third piece: there are very sensitive technologies that I think are important to enable innovation around, like face recognition, but that you want to make sure you have special consent for. If we make it too hard for American companies to innovate around areas like facial recognition, then we will loose to Chinese companies and other companies around the world.”

Representative Gene Green also asked about GDPR, including specific questions about the new regulation’s requirements. Here’s how Zuckerberg responded:

The day before, during the hearing in the Senate, Senator Maria Cantwell asked: “Do you believe the European regulations should be applied here in the US?”

Zuckerberg answered: “I think everyone in the world deserves good privacy protection and regardless of whether we implement the exact same regulation I would guess that it would be somewhat different because we have somewhat different sensibilities in the US as other countries.”

He added: “We’re committed to rolling out the controls and the affirmative consent and the special controls around sensitive types of technology, like face recognition, that are required in GDPR. We’re doing that around the world. I think it’s certainly worth discussing whether we should have something similar in the US but what I would like to say today is that we’re going to go forward and implement that regardless of what the regulatory outcome is.”

Shortly after Senator Lindsey Graham asked whether “the Europeans have it right” about privacy regulation.

Zuckerberg answered: “I think that they get things right.”

EU commissioner Vera Jourova, in charge of justice, consumers, and gender equality issues, also commented on Zuckerberg’s testimonies on Capitol Hill saying “Thank you Mr Zuckerberg,” according to Catherine Stupp of EurActiv.com.

Referring to the Cambridge Analytica breach and data protection, Jourova also pointed out that the European Union is “equipped to remedy the situation with GDPR.”

On April 4, during a Q&A with journalists, Cecilia Kang if The New York Times asked Zuckerberg referring to GDPR: “Would you be comfortable with those types of data protection regulations in the United States and deeper for global users?”

He responded: “Overall, I think regulations like the GDPR are very positive. I was somewhat surprised by yesterday’s Reuters story that ran on this because the reporter asked if we are planning on running the controls for GDPR across the world and my answer was yes. We intend to make all the same controls and settings available everywhere, not just in Europe. Is it going to be exactly the same format? Probably not. We need to figure out what makes sense in different markets with the different laws and different places. But — let me repeat this — we’ll make all controls and settings the same everywhere, not just in Europe.”

In the Reuters story, Zuckerberg was quoted as saying “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing.” The article mentioned that he did not elaborate.