What Mark Zuckerberg needs to tell Congress about Facebook

April 9, 2018

By Rep. Jan Schakowsky for CNBC

Facebook completely failed to protect Americans' data. Is anyone surprised?

Facebook has a less-than-stellar track record on consumer privacy. In fact, it was already under a Federal Trade Commission (FTC) consent order when it gave Aleksandr Kogan access to the data of 87 million people. That data, in turn, ended up in the hands of Cambridge Analytica, a firm staffed by foreign nationals working with the Trump campaign.

Facebook CEO Mark Zuckerberg will testify before the House Energy and Commerce on April 11, something my colleagues and I first demanded on March 23. As head of his company, Mr. Zuckerberg must personally answer for Facebook's failure to adequately protect consumer data. Companies deserve to be shamed when they fail to protect consumers.

When Mark Zuckerberg testifies, I expect a detailed accounting of how Facebook shared the data of its 2 billion users – most of whom didn't know their data was being shared – with Aleksandr Kogan and other app developers.

I expect to hear how Facebook is strengthening its privacy protections and empowering consumers to understand and choose how their data is shared. The big question for Congress is what comes next.

Facebook is just the latest corporation that failed to protect Americans' data. In the last year alone, I have responded to poor data practices at Equifax, Uber, and Alteryx. Corporations that hold enormous amounts of consumer data simply haven't made consumer protection the top priority.

In fact, corporations like Facebook and Equifax profit from collecting and selling Americans' data – all too often without consumers' knowledge. In a system with few safeguards, scandals like Facebook-Cambridge Analytica and data breaches like Equifax aren't just possible. They're inevitable.

If we want to change that dynamic, we need to change federal law. If consumer protections like those in my bill, the Secure and Protect Americans' Data Act (SPADA), had been in place, the Facebook-Cambridge Analytica scandal would have played out very differently.

First, Facebook would have been required to have processes to identify vulnerabilities, mitigate those vulnerabilities, and oversee those who have access to personal information through Facebook (e.g. Aleksandr Kogan). Instead, Mr. Kogan was allowed to gather the personal data of not only his app users but also their Facebook friends.

After Facebook found out that Kogan shared user data with an unauthorized third party (e.g. Cambridge Analytica), it would have been required to notify law enforcement within 5 days and consumers within 30 days. Instead, Facebook learned about the scandal in 2015 and kept it under wraps for three years until it was unveiled by a whistleblower.

Finally, the FTC would have been empowered to enforce data security and breach notification requirements with civil penalties. With the FTC investigation into Facebook ongoing, it remains to be seen how Facebook will be held responsible.

In SPADA, I laid out specific proposals to establish data security standards and require prompt notification when data is misused. But that is just a first step. We also need to consider comprehensive privacy legislation to limit the collection and sharing of Americans' data in the first place.

I urge my Republican colleagues to put forward their own ideas so we can negotiate a bipartisan bill to improve data security and consumer privacy. Americans deserve answers from Mr. Zuckerberg, and then they deserve action from Congress.

Commentary by Jan Schakowsky, U.S. representative for Illinois's 9th congressional district since 1999. She is the top-ranking Democrat on the Digital Commerce and Consumer Protection Subcommittee of the Energy and Commerce Committee, where Mr. Zuckerberg will appear on April 11. Follow her on Twitter @janschakowsky.