SAN FRANCISCO — Facebook, Inc. Chief Executive Mark Zuckerberg said on Tuesday that he agreed “in spirit” with a strict new European Union law on data privacy but stopped short of committing to it as the standard for the social network across the world.
As Facebook reels from a scandal over the mishandling of personal information belonging to millions of users, the company is facing demands to improve privacy and learn lessons from the landmark EU law scheduled to take effect next month.
Zuckerberg told Reuters in a phone interview that Facebook was working on a version of the law that would work globally, bringing some European privacy guarantees worldwide, but the 33-year-old billionaire demurred when asked what parts of the law he would not extend worldwide.
“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” Zuckerberg said. He did not elaborate.
His comments signal that US Facebook users, many of them still angry over the company’s admission that political consultancy Cambridge Analytica got hold of Facebook data on 50 million members, could find themselves in a worse position than Europeans.
The European law, called the General Data Protection Regulation (GDPR), is the biggest overhaul of online privacy since the birth of the Internet, giving Europeans the right to know what data is stored on them and the right to have it deleted.
Apple, Inc. and some other tech firms have said they do plan to give people in the United States and elsewhere the same protections and rights that Europeans will gain.
Shares of Facebook closed up 0.5% on Tuesday at $156.11. They are down more than 15% since March 16, when the scandal broke over Cambridge Analytica.
PUSH FOR DATA PRIVACY
Privacy advocacy groups have been urging Facebook and its Silicon Valley competitors such as Alphabet, Inc.’s Google to apply EU data laws worldwide, largely without success.
“We want Facebook and Google and all the other companies to immediately adopt in the United States and worldwide any new protections that they implement in Europe,” said Jeff Chester, executive director of the Center for Digital Democracy, in Washington.
Zuckerberg said many of the tools that are part of the law, such as the ability of users to delete all their data, are already available for people on Facebook.
“We think that this is a good opportunity to take that moment across the rest of the world,” he said. “The vast majority of what is required here are things that we’ve already had for years across the world for everyone.”
Google and Facebook are the global leaders in Internet ad revenue. Both based in California, they possess enormous amounts of data on billions of people.
Google has declined to comment on its plans.
When GDPR takes effect on May 25, people in EU countries will gain the right to transfer their data to other social networks, for example. Facebook and its competitors will also need to be much more specific about how they plan to use people’s data, and they will need to get explicit consent.
GDPR is likely to hurt profit at Facebook because it could reduce the value of ads if the company cannot use personal information as freely and the added expense of hiring lawyers to ensure compliance with the new law.
Data is central to Facebook’s advertising business, and it has not yet sketched out a satisfying plan for how it plans to comply, said Pivotal Research analyst Brian Wieser.
“I haven’t heard any solutions from Facebook to get ahead of the problem yet,” Wieser said.
Failure to comply with the law carries a maximum penalty of up to 4% of annual revenue.
It should not be difficult for companies to extend EU practices and policies elsewhere because they already have systems in place, said Nicole Ozer, director of technology and civil liberties at the American Civil Liberties Union of California.
Companies’ promises are less reassuring than laws, she said: “If user privacy is going to be properly protected, the law has to require it.” — Reuters