After the emergence of large-scale data breaches on Facebook’s platform, CEO Mark Zuckerberg accepted to appear before the respective parliamentary committees of the US Senate and Congress. The hearings highlighted that US politicians are now turning their attention to social media platforms, but have no coherent plan (and unclear intentions) on the measures to adopt. At the same time, there are clear indications that the EU’s GDPR will become a benchmark for data privacy worldwide.

The hearings were lengthy and broad, and quite unlike the ones ongoing in the UK

A striking difference immediately emerged between the two hearings carried out by the US Congress and Senate, and those of the UK Parliament’s DCMS Committee. The latter are part of a detailed, thorough enquiry on fake news, and see a handful of MPs asking detailed questions to witnesses, whereas the former have involved dozens of senators and congress members, and turned into lengthy proceedings in which politicians asked a broad range of questions, most of which turned out to be somewhat vague and generic. This has allowed Zuckerberg to appear relatively comfortable, particularly in the hearing at the Senate; however, it also made it difficult to explore issues in-depth, and highlighted that US lawmakers are barely scratching the surface when deciding how to regulate such platforms.

The hearing with the Congress Committee on Energy and Commerce was more detailed and challenging for Zuckerberg than the one with the Senate’s Committee on the Judiciary. This is likely due to the differences between the two groups, as Congress is generally made up of younger members whose understanding of technology is likely to be more thorough compared to senators. Here, some congress members criticised Zuckerberg for Facebook’s poorly designed privacy policies, and were harsher in highlighting how difficult it is to understand what use Facebook makes of personal data.

The two hearings also highlighted the likely reason why Zuckerberg has agreed to hearings in the US while denying, so far, to do the same before the UK DCMS Committee. Hearings in the UK would likely be on more specific issues, which will require more detailed, technical answers he might not be able to provide.

US politicians have started looking to GDPR, but it’s unlikely they will follow the same approach

Zuckerberg’s hearing before the Congress Committee was characterised by the frequent reference to the data protection framework about to come into force in the EU. The acronym GDPR was mentioned 17 times in five hours; the word “European” 13 times, according to the transcript of the hearing.

Several Congress members asked Zuckerberg whether Facebook plans to extend to US users the safeguards and rights provided by the GDPR, and others asked Zuckerberg if the Europeans “Have it right”, and on which aspects. Zuckerberg responded that, by and large, GDPR principles will apply to US users too, although there will be some differences. Crucially, he noted that GDPR is a “very positive step for the internet”.

Such reference to European regulation is striking and unusual for US politics. In the US, the hands-off approach to regulation continues to be largely dominant. However, this is a further sign of the powerful impact GDPR is having on privacy frameworks worldwide. As Assembly found in its new Privacy and Data Protection Tracker, South Korea has recently passed legislation almost mirroring GDPR, and India is now looking into a comprehensive framework with strong reference to the EU

The fact that so many Congress members asked about GDPR, or proposed an implementation of those principles, could suggest more openness toward the option of regulation; however, it is too early to consider this as a likely outcome. As noted by one of the Committee’s members, “I've just seen it over and over again — that we have the hearings, and nothing happens”. In fact, some other Congress members (mainly Republicans) challenged the idea that regulation is needed.

Zuckerberg said regulation is “inevitable”, but it is still unclear how this will play out

In the hearings, Zuckerberg repeated a concept he has been voicing for the last few weeks, and admitted regulation is now “inevitable” for online platforms. He also added, though, that regulation could be easy to comply with for a large company like Facebook, whereas this could be more difficult for a smaller start-up.

In general, Zuckerberg’s point can be seen as valid, as regulatory barriers tend to have much more impact on a small organisations, compared to a large one. However, such a statement appears at odds with the argument the company recently made to deny access to a Belgian user’s own personal data. On that occasion, Facebook argued they are “too big” to comply with that type of request.

Size of businesses aside, regulation will have to be designed with two objectives in mind: the improvement of transparency and user awareness; and the flexibility needed to make sure rules do not become outdated too quickly. To this end, well-monitored guidelines could go a long way, so long as there are sufficient incentives for companies to keep a trustworthy behaviour.

The chairman of the Congress committee concluded the hearing by asking Zuckerberg’s input on “other technology CEOs” they might benefit from hearing from so as to hold accountable executives from other tech companies, Internet service providers, data brokers and anyone else that collects US citizen's information.