© REUTERS/Yves Herman

Ever since Facebook CEO Mark Zuckerberg testified before the US Congress in early April, European Union politicians have been demanding he face questions in Brussels as well. After all, not only does Facebook have more users in the EU than in the US, it also represents the website’s main privacy regulator.

Facebook stalled on the invitation for weeks. Zuckerberg also declined a request to appear before the British Parliament to answer questions about the Cambridge Analytica scandal, in which a British company gained access to millions of American users’ data and used them for targeted advertising benefiting the Trump campaign.

But last week Facebook had a sudden change of heart. European Parliament President Antonio Tajani announced on Twitter that the Facebook CEO had relented to the mighty European Parliament and agreed to testify before it.

However, just hours after the announcement, it emerged that Zuckerberg had in fact only agreed to meet privately with the Parliament’s “Conference of Presidents’”—the leaders of its eight political groups. The meeting would be held behind closed doors.

Members of the parliament and the public were infuriated by the bait-and-switch. After relentless public pressure over the weekend, Tajani announced that Facebook had agreed to let the hearing be web-streamed. It wasn’t ideal for many privacy advocates, who said the better venue would be the Parliament’s civil liberties committee—MEPs who know the details of the relevant legislation. Having Zuckerberg be interrogated by group presidents who don’t know the details of the relevant legislation would be pointless, they said.

But it quickly got worse. Tajani then took the decision to give the meeting a bizarre format. Zuckerberg would give opening remarks, eleven MEPs would ask questions, and then Zuckerberg would give one response collectively for all questions. There would be no opportunity for follow-up.

The result on Tuesday night was predictable. Zuckerberg’s opening statement was largely a repeat of what he told the US Congress. The MEPs asked their questions, but Zuckerberg largely chose to ignore them. He seemed to many to be trying to run out the clock, and he did.

When he finished, and Tajani said “that’s a wrap,” the MEPs howled in protest. Several shouted out objections that he hadn’t answered their questions, including one on “shadow profiles” that Facebook compiles about non-users and one on whether the company is linking data from Facebook and the chat service Whatsapp in order to develop big data to sell to advertisers. The MEPs began bickering, there in the live feed for all the world to see, before Tajani abruptly brought things to a close.

It remains unclear whose idea the format was. Did Facebook request the private session and format without follow-ups? Or was it offered to them by Tajani as an enticement for Zuckerberg to come to Brussels and be treated with kid gloves? Neither side will say.

Farage Enters

To reestablish trust with European lawmakers, Zuckerberg had to assure them of three things: that Facebook is tackling fake news and election interference, that Facebook is going to be fully compliant with the EU’s new data privacy rules (GDPR) that take effect on May 25, and that Facebook is not a monopoly that needs to be broken up.

But his assertions were full of the same platitudes he had given the US Congress. “Facebook plays a positive role in elections around the world, by helping leaders like you directly connect with voters,” he told the MEPs.

At least members of the US Congress were able to follow-up when they felt their questions weren’t being answered

Claude Moraes, the chairman of the parliament’s civil liberties committee who was invited to attend the hearing, emerged saying the whole thing had been a farce, though he acknowledged that perhaps it was better than nothing. Guy Verhofstadt, the leader of the liberal ALDE party caucus, said he will be demanding written answers from the company for the questions that were not addressed by Zuckerberg.

Not every MEP left the room furious with Zuckerberg, though. Nigel Farage, the Brexit champion who leads the Euroskeptic parliament group Europe of Freedom and Democracy, told Zuckerberg during the hearing: “I’m probably your best friend in this room”.

Facebook shouldn’t be making any changes, Farage said. It should remain a neutral platform that isn’t in the business of deciding what is or isn’t “fake news.” He then accused the service of starting to show a bias against the right-wing following the Cambridge Analytica scandal.

“My Facebook clicks and views have fallen by 25 percent since the start of the year,” he complained.

The whole episode was less than reassuring for Facebook users watching at home who are concerned about their privacy. And it likely didn’t fill them with confidence about the European Parliament either.

And, as if to symbolize the embarrassing affair, during the hearing a portion of the ceiling collapsed in the press room where Tajani was due to give his press conference afterwards—alone, of course, without Zuckerberg. The journalists in the room couldn’t decide what they found funnier: the shambles unfolding on the viewing screen, or the pieces of plaster covering the floor.

The post Zuckerberg’s Easy Ride appeared first on Berlin Policy Journal - Blog.

© REUTERS/Stephen Lam

Expectations were low when Germany’s new federal justice minister hauled in Facebook executives to explain their latest data scandal. But even by those standards, it was clear the social media giant had under-delivered when Katarina Barley went before the press after the March 26 meeting in Berlin.

“Facebook admitted abuses and excesses in the past, and gave assurances that measures taken since will prevent them from happening again,” she said. “But promises aren’t enough. In the future we will have to regulate companies like Facebook much more strictly.”

But Facebook isn’t the only one making empty promises. Politicians across Europe have been astir with indignation, muttering empty threats since Cambridge Analytica admitted that information it bought on Facebook users was used to influence the 2016 US presidential election. The company bought the data—illegally—from the developers of a personality app that quizzed users to determine their personalities, political leanings, and more. Until 2014, Facebook’s default settings allowed any app installed by one Facebook user to scrape data off all of a user’s friends, too—without informing them or asking for explicit permission.

Cambridge Analytica has been bragging about its coup since Donald Trump was elected, but it took a company whistleblower to make clear the extent of the manipulation. Now that the consequences of the data-trading have become clear, Facebook claims to be shocked—shocked!—by what happened.

Caught

In reality, Facebook is shocked because it was caught. It walked into this with its eyes open, allowing problematic data-collection via third-party apps. And it earned money in the process from data-collecting app developers it knew it couldn’t control.

They got away with it because, well, they can.

Under current EU law, Germany’s federal justice minister can investigate consumer law breaches involving Facebook. But it has no ability to police Facebook data breaches—even if they happen in Germany or, as Barley said after their meeting, affect 130,000 European Facebook users.

Because Facebook and other tech giants have their international headquarters in Ireland, front-line responsibility for policing them falls to the Irish data protection regulator (DPC). And for years, the DPC has faced accusations from German and other authorities of sitting on its hands.

It is a heated, polarized argument that has much to do with interpretation of laws dating back to before Facebook was even invented. But just as crucial are cultural norms—and misunderstandings.

Germany’s robust data protection rules and privacy culture are a product of bitter experience of surveillance, under first the Gestapo and then the Stasi. Ireland has a much looser attitude to privacy and data protection, more similar to British and US perspectives, and the Irish DPC is a reflection of this. But the status quo of EU data regulation means the Irish philosophy has prevailed.

Since 2011 Ireland’s regulator has been investigating Facebook’s operations in Europe following a complaint filed by Austrian privacy campaigner Max Schrems that the company was operating outside EU law. He took his case to the European Court of Justice in Luxembourg and won, forcing the EU to close down problematic transatlantic data transfer channels.

But in his 2011 complaint to the Irish DPC, Schrems also flagged as illegal Facebook apps’ practice of pulling in the data of both users and their Facebook friends. While Facebook maintains contracts with developers forbidding the onward sale or disclosure of data to third parties without user consent, he dismissed these as worthless.

“No one knew for sure who was behind these apps and no one knew what happened to the data collected,” said Schrems. “It could disappear into another country or end up being used—as Cambridge Analytica shows—in an election campaign.”

Asking Questions

Asked about Schrems’s concerns, Facebook claimed back in 2011 that its users had agreed to share their data with apps in friends’ profiles through the concept of “third party consent.” The Irish regulator flagged this as problematic, and ordered changes back in 2011 and 2012; but we still don’t know if the DPC viewed the practice as illegal. Indeed, it was a whole three years after the first complaint that Facebook restricted its “third party consent” sharing of data, and then only because the social network updated its platform.

Ask the Irish DPC what took so long and you hear a lot about consensual audits and how effective data protection regulation requires an “iterative approach.” This is the kind of talk that drives German data regulators to distraction—they prefer to stop problematic practices first and ask questions later.

Years of pan-EU frustrations could come to an end in May, when new EU data protection rules come into force. The Irish regulator will remain the frontline regulator for Facebook, Twitter, and Google, all based in Dublin. But the new rule book, known as the General Data Protection Regulation (GDPR), foresees greater leeway to act—and huge fines for regulation breaches.

German Green MEP Jan Philipp Albrecht, who pushed GDPR through the European Parliament, says the new rules will increase pressure on the Irish DPC to explain to partner agencies in other EU member states how it is regulating—or not regulating—big tech companies in its territory. Should it fail to make a convincing case, Albrecht says, “it will lead quickly to outside control of the Irish regulator.”

For Albrecht, a data protection veteran, the EU regime will do more to rein in Facebook data breaches than any national politician or regulatory body. Albrecht added: “I for one am happy that the Irish regulator will, through GDPR, be expected to apply common rules more quickly and consequentially.”

The post Unlike appeared first on Berlin Policy Journal - Blog.