Lawmakers from both parties are mulling a legislative response to information gleaned at recent hearings with Facebook CEO Mark Zuckerberg, perhaps setting new privacy requirements and data-breach notification standards for social media companies.
But congressional moves are far from assured, or desirable to many, and significant action may come first from federal agencies or even low-key collaborations among industry groups and government entities.
After the mid-April Zuckerberg hearings in the House and Senate, Sens. John Kennedy, R-La., and Amy Klobuchar, D-Minn., were first out of the box with a bill to “protect the privacy of consumers’ online data by improving transparency, strengthening consumers’ recourse options when a breach of data occurs, and ensuring companies are compliant with privacy policies that protect consumers.”
Their bill has been in the works for a while, sources said, and it’s still in draft form. But the senators were keen to take advantage of the spotlight offered by Zuckerberg’s Capitol Hill appearances.
The measure focuses on issues such as user data tracking and terms of service agreements. The senators said the bill will also require “users be notified of a breach of their information within 72 hours,” and give “remedies for users when a breach occurs.”
The 72-hour rule is in line with requirements coming into effect in the European Union on May 25, which U.S. business groups strongly oppose.
Facebook strongly rejects the idea that any breach occurred at its service, pointing instead to a chain of events involving scientist Aleksandr Kogan and the app he developed that allowed Cambridge Analytica to access data of 87 million Facebook users, which was used to influence the 2016 elections.
“The claim that this is a data breach is completely false,” Facebook said in a statement prior to the hearings. “Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
But Kennedy has told reporters that he views the affair as a data breach and structured his bill accordingly, with the notification requirement.
Lawmakers asked Zuckerberg to offer his own ideas on ways to secure users’ data, and Kennedy said last week that Facebook’s response will have a great deal of influence on whether lawmakers try to write tough new mandatory rules for the industry.
“Zuckerberg said he’s open to this conversation [on privacy and cybersecurity roles and responsibilities], but he didn’t get a response from the members of Congress on discussing ways to work together,” said Kiersten Todt, the former executive director of President Obama’s national cybersecurity commission.
Todt suggested looking at the collaborative opportunities rather than at coercing social media companies to change their behavior through legislative mandates.
She said the hearings and the possible follow-up “offer an opportunity to get this collaboration right because we would be doing it together from the start. We have the opportunity with this [social media] sector to say what the collaboration should look like and what the responsibilities are.”
It’s unclear how Congress would fit into this picture, but Todt suggested an initiative aimed at pulling together Facebook, other social media companies and stakeholders, and some government representatives in a collaborative setting might offer a quicker path toward better securing Americans’ experiences in the social media realm.
Other sources pointed to possible action at the Federal Trade Commission to impose stronger data security standards on social media companies.
“It’s unlikely anything will happen legislatively in the near term,” said a former federal cybersecurity regulator. “With regard to regulation, it depends on when the new FTC commissioners are confirmed and how aggressive they want to be on both Facebook and Google. My gut says there’s a possibility for some pretty momentous actions. Bottom line is, this is a long game, but there are some things that could happen in the next year or so, likely not the next few months, that could change things significantly.”
This source said to keep an eye on an FTC investigation into Facebook’s handling of users’ data.
If there is a legislative approach, Kennedy and Klobuchar are both Judiciary Committee members and that panel — and Commerce — would likely take the lead on the issue.
Judiciary Chairman Charles Grassley, R-Iowa, and Commerce Chairman John Thune, R-S.D., have shown interest in following up on Facebook, and on breach-notice issues in general, but haven’t announced plans.
“Sen. Grassley has also said it will depend on Facebook’s response,” a spokesman for the senator said.
A spokesman for Senate Majority Leader Mitch McConnell, R-Ky., said GOP leadership is waiting to see what the Judiciary and Commerce committees decide before engaging on the issue.
In the House, an Energy and Commerce spokeswoman said: “The public policy implications surrounding our hearing with Mr. Zuckerberg extend well beyond one company. Moving forward, the committee is focused on shedding light on the tech industry’s business practices as a whole and making sure consumers are getting a fair shake.”
It’s unclear whether that will involve legislation.
“It’s not easy for us to begin regulating” in this area, acknowledged Sen. Dianne Feinstein of California, the top Democrat on the Judiciary Committee. She said the hearings provided “a lot of food for thought,” but there probably would not be a legislative push “right away.”
“It will be interesting to see what changes Mr. Zuckerberg makes over the next month,” she added.
One well-connected Senate source noted that data-breach legislation has stalled for years in Congress and that lawmakers, eager to do something to address constituent concerns about the Facebook affair, may aim for a narrower bill strictly addressing privacy issues on social media.
“We’ll try to get something done rather than hold out for the perfect,” the Senate source said.
