Privacy imported: US weighs EU-style regulations to protect your data

Congressional hearings with Facebook's Mark Zuckerberg get lawmakers talking about regulations for internet companies' collection and use of consumer data.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
Facebook CEO Mark Zuckerberg Testifies At House Hearing

Facebook CEO Mark Zuckerberg shakes hands with House Energy and Commerce Committee member Rep. Richard Hudson, a Republican from North Carolina, at the conclusion of a hearing on Capitol Hill on Wednesday. Zuckerberg said Facebook would welcome the "right regulation" for its collection and use of data.

Chip Somodevilla / Getty Images

What if more privacy was the law? 

The European Union has already made it so with its General Data Protection Regulation, which gives users the ability to request information on who has their data, as well as the right to ask for copies or have it deleted. Until recently, however, the law appeared likely to have only limited benefits for people outside of Europe. 

One possible benefit to people in the US is that companies might decide to extend the law's privacy protections to users worldwide. The rules also require companies to notify users of data breaches quickly, meaning reports of Europeans being affected by a hack could be a precursor for similar news around the world.

Now, the law's reach in the US could be much bigger. Privacy experts say it's becoming more likely that lawmakers will enact regulations in the US that borrow from the EU law, commonly called the GDPR. If they do, a new law would mark a sea change in the way the federal government approaches privacy regulations.

The change in attitude is thanks to the widening data scandal at Facebook, which involves political consultancy Cambridge Analytica's acquisition of information of as many 87 million of the social network's users. The new willingness to consider regulation was on display on Tuesday and Wednesday, when members of Congress repeatedly asked Facebook CEO Mark Zuckerberg how he felt about the prospect of his company being regulated.

"I think if it's a right regulation, then yes," he told one senators on Tuesday.

Taking regulation to the next level

Lawmakers have introduced many privacy-oriented bills before. But they've all been narrowly focused. 

After the Equifax hack in September, which compromised the personal information of nearly 148 million people, lawmakers introduced bills that would give consumers more control over the data that credit reporting agencies can collect on them, require businesses to inform consumers of data breaches and impose fines. In the same year, Rep. Marsha Blackburn, a Republican from Tennessee, introduced the Browser Act, which would require web-based services to let users opt in or out of having their data collected.

Privacy in the US is already regulated to some extent by the Federal Trade Commission and the Federal Communications Commission.

The agencies' regulations don't have the teeth of GDPR, which levies steep fines against companies for violating the rules. Those penalties can go up to 20 million euros or 4 percent of a company's annual revenue -- whichever is higher.

Zuckerberg on privacy regulation

Zuckerberg's questioning in two separate congressional hearings marked the most high-profile public discussion of enacting broader privacy regulations we've seen yet.

On Tuesday, Sen. Lindsey Graham, a Republican from South Carolina, asked Zuckerberg if he thinks the Europeans got it right.

"I think that they get things right," Zuckerberg said, triggering laughter.

On Wednesday, Rep. Scott Peters, a Democrat from California, asked Zuckerberg what specific parts of the GDPR he thinks are a good idea.

"In general, it is going to be a very positive step for the internet," Zuckerberg said. He said many of the rights given to users by the law to control data were already available on Facebook. 

In response to the idea of requiring businesses to make those controls more obvious and get affirmative consent for data collection, as the regulation requires, Zuckerberg said, "I think it makes sense to do more." Facebook has recently rolled out tools to let you delete information from the social network permanently.

As for what the regulation gets wrong, Zuckerberg said, "I need to think about that more."

Bringing GDPR stateside

Despite the hours of questioning Zuckerberg underwent, privacy advocates said lawmakers weren't firm enough on the question of regulation.

Watch this: Seven of our favorite moments from Zuck's congressional testimony

"We shouldn't be begging for Facebook's endorsement of laws, or for Mark Zuckerberg's promises of self-regulation," said Zephyr Teachout, an activist and professor at Fordham University School of Law, in an opinion piece in the Guardian.

While it could be a long shot, the tech sector might come to support specific laws in the future, said Lorrie Cranor, former chief technologist at the FTC under the administration of President Barack Obama.

"They may say, 'There are parts of GDPR that we might as well have in the US because we're complying with them anyway,'" Cranor said. That wouldn't be out of the goodness of their hearts though. 

Businesses may prefer to have one standard they have to comply with rather than spending resources on following different regulations in different countries. What's more, there could be a financial incentive for big companies to make some of the GDPR the law in the US. "It will be much easier for large companies to deal with compliance, so it will give them an advantage over smaller companies," Cranor said.

Industry group opposition

Currently, industry groups aren't in favor of passing a law mirroring the GDPR. "Its light-touch approach to internet regulation has made the US digital economy the envy of the world," the Information Technology & Innovation Foundation said in a statement Tuesday. "Taking steps toward European-style privacy regulation would offer only marginal value to users, but it would significantly erode US competitiveness and Internet innovation."

Cranor said she thinks that sentiment will keep any regulation that passes limited. 

"I'm not saying that all of GDPR has any chance of passing in the US, but there may some pieces that have a chance if industry gets behind it."

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.