We have a responsibility to protect your information,” Mark Zuckerberg, the chief executive of Facebook, declared recently in a full-page newspaper advertisement. “If we can’t, we don’t deserve it.”
It is nice to see Facebook taking some responsibility for the exploitation of the personal information of 50 million of its users in the service of a political campaign. But Mr. Zuckerberg’s comments suggest he still doesn’t get it: What matters is not whether internet companies “deserve” our private information but why we as consumers do not have meaningful ways to protect that data from being siphoned for sale in the first place.
The European Union, however, is handling the problem differently. Starting in May, its General Data Protection Regulation will go into effect in its 28 member nations. The regulation is powerful in its simplicity: It ensures that consumers own their private information and thus have the right to control its usage and that internet companies have an obligation to give consumers the tools to exercise that control.
The European rules, for instance, require companies to provide a plain-language description of their information-gathering practices, including how the data is used, as well as have users explicitly “opt in” to having their information collected. The rules also give consumers the right to see what information about them is being held, and the ability to have that information erased.
Why don’t we have similar protections in the United States? We almost did. In 2016, the Federal Communications Commission imposed similar requirements on the companies that provide internet service, forcing them to offer an explicit “opt in” for having personal data collected, and to protect the information that was collected.
This didn’t last. Internet service providers like Comcast and AT&T and companies that use their connections, like Facebook and Google, lobbied members of Congress. Congress passed a law this year, signed by President Trump, that not only repealed the protections but also prohibited the F.C.C. from ever again imposing such safeguards. The same coalition of corporate interests succeeded in discouraging California from passing a state privacy law similar to the 2016 F.C.C. requirements.
Fortunately, the European Union’s law should indirectly help Americans somewhat. In only a few weeks, Facebook, Google and all the other internet companies that collect our private information will have to allow European customers the protections these companies have fought to deny Americans. In an interconnected world where digital code doesn’t respect the geographical or national borders, this will surely have a positive global impact.
Internet companies are preparing for a future in which regardless of where a website is based, if it is visited by even a single European Union citizen and if it seeks to collect that person’s data, it must provide that person the protections of the General Data Protection Regulation. Hopefully, this experience will show these companies that protecting privacy is simply the responsible thing to do, not the end of their business.
The United States government has a lot of explaining to do. Why is it that American internet companies such as Facebook and Google are required to provide privacy protections when doing business with European consumers but are free to not provide such protections for Americans? Why is it that Americans’ best privacy hope is the secondary effect of interconnected networks rather than privacy protections designed for Americans? Why shouldn’t Americans also be given meaningful tools to protect their privacy?
Congress is now considering bipartisan legislation that responds to the problem of Russian targeted political advertising on social media by adding the requirement, long applied to broadcast advertising, that those websites disclose who is paying for their advertisements. But as well intentioned as that step may be, it addresses only a symptom of the problem of the extensive surveillance of Americans, not the root of the problem.
The New World must learn from the Old World. The internet economy has made our personal data a corporate commodity. The United States government must return control of that information to its owners.
Tom Wheeler, the chairman of the Federal Communications Commission from 2013 to 2017, is a visiting fellow at the Brookings Institution and a fellow at the Harvard Kennedy School.