Facebook Privacy Violation Scandal In Broader Context
In April, the CEO of Facebook, Mark Zuckerberg, testified in Congress about the alleged user privacy violations that occurred at Facebook. Several weeks later, Cambridge Analytica, the political consulting firm that misused the personal information of millions of Facebook users, is shutting down due to the loss of customers. The Federal Trade Commission is progressing with its investigation of Facebook, and we will find out whether and how Facebook will be held responsible for these privacy violations.
That said, these privacy concerns are not going to end anytime soon. It is not just Facebook. Companies in multiple industries are becoming heavily dependent on customers’ personal data so that they can provide tailored products and services to their customers at lower cost. Ideally, both the companies and their customers should benefit from this data collector-data contributor relationship. In reality, all of us who are data contributors often feel uncomfortable about it. From Zuckerberg’s testimony in Congress, we may find answers to why we feel this way, and how meaningful regulation can improve this situation.
One reason why data contributors may not trust data collectors is that there is an informational asymmetry between the two. Many users have little knowledge about how companies like Facebook are collecting their personal information and what kinds of information are being collected. People get suspicious about whether their voices are being recorded secretly through the microphones on their laptops or through smart home devices like Amazon Echo.
It is often unclear to users who has access to their personal information. For example, people unfamiliar with Facebook’s business model may think that it sells users’ information to advertisers. During his Congressional testimony, Zuckerberg explained that Facebook acted as an intermediary that connected users with relevant ads. In order to provide greater clarity to users, regulation is needed to require that data collectors disclose, in an understandable and comprehensive manner, the sources being used to collect information, the types of information being collected, and the parties who have the access to that information.
Sometimes the collected information may be such that we are hesitant to share it. For example, many car insurance companies have been promoting telematics devices, which track drivers’ driving habits, and good drivers will be rewarded with lower premiums. But even for a good driver, the chance of her getting into an accident varies depending on many other factors, for example, the road conditions. Imagine if insurance companies start to gather information about the routes that a driver takes and change premium rates accordingly, in real time. Drivers will spend less on car insurance if safer routes are taken, and insurers will be able to monitor their risk exposures more closely. But even in such a mutually beneficial scenario, not everyone is willing to share his every footprint with others.
In short, people balance different considerations when it comes to the sensitivity of personal information. Some may be happy about giving up personal information in exchange for lower price or convenience, while others may not. Therefore, data contributors – meaning you and me -- should be given the right to not share the information they consider sensitive, unless they want to do so.
In the EU, the General Data Protection Regulation – GDPR – goes into effect on May 25, 2018, and it provides data protection and privacy for all individuals within the European Union. It also deals with the export of personal data outside the EU, and hence, it will have a global impact.
Given the increased focus on cyber privacy, it is likely that some Congressional legislation will emerge. Will this regulation be adequate and will there be adequate enforcement of those regulations?