No Clear Path to Legislation for Lawmakers Expressing Outrage Over Facebook Revelations
Congress has historically taken a hands-off approach to tech oversight
Lawmakers, motivated by revelations of Facebook Inc.’s handling of users’ data, may take a look at proposals for new data safeguards — but it’s far from clear that Congress has a clear path from lawmakers’ anger over Facebook to legislative action.
Disclosures about Facebook’s relationship with Cambridge Analytica, and the latter’s behavior in the 2016 elections, may have given legislation greater urgency than was the case after companies such as Equifax Inc. lost the data of about 145 million consumers. But legislation doesn’t seem imminent and, to the extent it’s about data protection, may miss the mark.
“We’ve been working on data breach legislation for a long time,” said Senate Commerce, Science and Transportation Chairman John Thune, R-S.D. “We will continue to try to get that done.”
The Facebook-Cambridge Analytica case, however, adds an extra dimension to the data privacy discussion: what if there is no breach and the data is used to influence elections? Facebook’s statements say there was no breach, but that Cambridge Analytica obtained the data under a false pretext.
Drawing on Facebook data on 50 million Americans, Cambridge Analytica used it in the Trump campaign in 2016. The CEO, since placed on leave, was filmed boasting about the Cambridge Analytica role in the campaign. The same footage showed his apparent willingness to conduct dirty tricks on behalf of a candidate.
The firm reportedly received a significant investment from wealthy Republican donor Robert Mercer. And Steve Bannon, a former top Trump strategist, oversaw Cambridge Analytica’s early efforts to collect Facebook data, The Washington Post reported.
Many questions
At least some lawmakers say the case raises questions about the integrity of elections as well as privacy and whether companies like Facebook are doing enough to protect the information.
In a March 19 letter, Sens. Amy Klobuchar, D-Minn., and John Kennedy, R-La., urged Senate Judiciary Chairman Charles E. Grassley. R-Iowa, to call technology CEOs to testify about the use of data. They named Facebook, Google and Twitter.
“The lack of oversight on how data is stored and how political advertisements are sold raises concerns about the integrity of American elections as well as privacy rights,” they wrote. “While Facebook has pledged to enforce its policies to protect people’s information, questions remain as to whether those policies are sufficient and whether Congress should take action to protect people’s private information.”
But Klobuchar and Kennedy make no mention of legislation in their letter and suggest that any changes could come from the companies.
“A hearing featuring testimony with CEOs would provide the Committee the opportunity to hear an update on the progress of these companies’ voluntary measures to combat attempted foreign interference and what is being done to protect Americans’ data and limit abuse of the platforms,” they wrote, “as well as to assess what measures should be taken before the next elections.”
Grassley, R-Iowa, said Wednesday that Facebook officials were scheduled to brief staff, a “forerunner to making a decision on whether or not to have a committee meeting.”
Congress has historically taken a hands-off approach to technology companies, allowing them to grow into some of the biggest companies in the world. Facebook is valued at about $490 billion even after losing 8 percent of its value in less than a week. Investors may be signaling that they expect regulatory and legislative consequences.
Complicating the issue for lawmakers is that any investigation of activities related to the 2016 election potentially bleeds into investigations of Russian meddling into those elections, one of which has become partisan. At least three Congressional committees are or have examined the question of Russian meddling.
Another complication is that Facebook, like other social media platforms, is a vehicle for candidates of both parties. Lawmakers may like the idea of putting safeguards on a tool that benefits their opponents; they’re not likely to give up the use for themselves.
Several committees are arranging meetings between staff and Facebook officials. In addition to Senate Judiciary, the House Judiciary and Senate Commerce committees were arranging the meetings as early as Wednesday although the snowfall in Washington, D.C., forced the postponement of at least one. Staff members didn’t say what they were trying to find out.
“If Facebook doesn’t cooperate with us, and the other companies don’t cooperate, that’s the quickest way to accelerate legislation,” Kennedy said. “But I would prefer to hear their thoughts on it.”
He and other lawmakers voiced concern that lower-ranking Facebook executives who have testified in other hearings have not provided enough information about the company’s policies and actions related to the protection of data.
Legislation on the way?
Congress has several pieces of legislation, mostly still in draft form, but they are primarily about protecting data. In addition to Moran’s draft measure, Reps. Blaine Luetkemyer, R-Mo. and Carolyn B. Maloney, D-N.Y., are circulating a draft bill that would require a company to notify consumers without unreasonable delay if a breach could result in identify theft, fraud or economic loss. Supporters of the bill acknowledge Facebook probably wouldn’t have had to notify them in the Cambridge Analytica case because the data wasn’t financial.
Sen. Richard Blumenthal, D-Conn., is offering a bill that would require companies to have cybersecurity protections in place and direct the Federal Trade Commission to develop regulations.
Sen. Jerry Moran, R-Kansas, a member of Thune’s committee, is also working on a draft bill. He chaired a Commerce subcommittee hearing in February that criticized Uber’s payment of $100,000 to two hackers who obtained data.
The flurry of concern on Capitol Hill coincides with the coming implementation in May of the European Union’s tough general data protection regulation (GDPR), which includes mandates such as mandatory data breach notifications within 72 hours and penalties for corporate violators ranging up to 4 percent of global revenues.
Watch: Intelligence Officials Aware of Russian Activity Aimed at 2018 Elections
[jwp-video n=”1″]