While tens of millions of U.S. consumers are affected, the misuse of foreign users' data could now turn out to be the real problem for Facebook since other countries take privacy issues more seriously than the U.S. government.

Share story

BERLIN — These days, you might get more applause for not being on social media than for reaching a follower milestone in Europe’s liberal hubs like Berlin or Paris. Concerns over privacy and ethics have triggered an unprecedented debate here that revolves around how, and not whether, to regulate U.S. tech giants.

Europe’s more loyal users of Facebook and other social media advocates may have felt comforted that major scandals over privacy settings and the platform’s business model appeared to mainly affect its U.S. side, such as the recent outcry over how Cambridge Analytica’s personal data collection affected “30 million profiles of American Facebook users.”

Facebook’s data scandal

Read more news about Facebook here

But now, Facebook says that Cambridge Analytica may have obtained data on far more users — with about 20 percent of them estimated to in fact live outside of the United States. In a separate revelation, Facebook also had to acknowledge on Wednesday that “malicious actors” were able to discover the identities and collect data on most of its 2 billion global users.

The mechanisms used by Cambridge Analytica and the “malicious actors” cited by Facebook appear to have been legal and do not constitute a data hack, but rather a deliberate exploitation of information through tools or loopholes Facebook itself provided in the past. While tens of millions of U.S. consumers are affected in both cases, the misuse of foreign users’ data could now turn out to be the real problem for Facebook since other countries take privacy issues more seriously than the U.S. government.

In India, where over half a million users are estimated to be affected, the allegations have resulted in a governmental request to Facebook and Cambridge Analytica for more detailed information, with an April 7 deadline.

Even though India is now Facebook’s biggest market — ahead of the United States — no Indian media outlets were able to ask questions in a conference call with CEO Mark Zuckerberg on Wednesday. The heavy U.S.-focus immediately triggered criticism because privacy advocates in Mumbai are still looking into reports that Cambridge Analytica may have used Facebook data to influence Indian politics, as well.

Facebook’s acknowledgments in recent weeks have also triggered furious reactions in a privacy-conscious Europe that has long sought ways to rein in U.S. social media and tech giants. EU regulators have always been much tougher on the tech companies than their U.S. counterparts, for instance forcing them to give users more control, imposing fines for non-compliance and requiring platforms to spot and delete illegal content. The latest revelations could serve as a pretext to toughen existing rules further and force social media companies to implement broader changes worldwide.

Germany’s justice minister, Katarina Barley, recently said it was unacceptable that users “were being spied on against their will, in order to bombard them with deliberate political adverts or hatred against political opponents.” Barley called Facebook’s practices a “threat to democracy.” The European Union’s justice commissioner, Vĕra Jourová, similarly said Facebook had facilitated “deep manipulation.” Both remarks came prior to Wednesday’s announcement that Europeans had been targeted, too.

That’s why two countries included in Facebook’s acknowledgment on Wednesday are likely causing the social media company a particular headache: Britain and Germany.

Perhaps even more damaging to Facebook’s business model than tumbling shares may be the sort of EU-style regulation efforts that have been introduced here in recent years. Nevertheless, Facebook CEO Zuckerberg applauded the European efforts in a conference call with journalists on Wednesday, calling them “very positive,” in a somewhat surprising assessment.

His praise for Europe’s tough data rules — that have so far been considered detrimental to the company’s business model — may either indicate a real strategy change or could be an effort to calm Europe’s nervous regulators by promising eventual change. Zuckerberg has struck an unusually humble tone in recent weeks, as his company has gone through its so far worst crisis, even as critics say that the company has shied away from some key issues.

“We intend to make all the same controls and settings available everywhere, not just in Europe,” Zuckerberg said on Wednesday, referring to a major new online privacy law that will take effect in May. Introduced as the General Data Protection Regulation, the massive overhaul will force all companies operating here to tell their European users which data they have stored on them and provide them with an option to delete that information, among other changes.

While European social media skeptics have celebrated the law as almost revolutionary, Zuckerberg stopped short on Wednesday of promising the same rights to users in the United States or other countries disproportionately affected by the latest revelations, including the Philippines, Indonesia, Mexico and Canada.

“Is it going to be exactly the same format? Probably not. We need to figure out what makes sense in different markets with the different laws and different places. But — let me repeat this — we’ll make all controls and settings the same everywhere, not just in Europe,” Zuckerberg said.

Europe’s tough stance on U.S. tech companies may end up benefiting users around the world, if Zuckerberg follows through on his promises.

But in Europe, many already fear that the latest regulations aren’t enough.