Go back to menu

Mark Zuckerberg speaking before the European parliament about user privacy

22 May 2018

29 May 2018

The meeting between Mark Zuckerberg, Facebook's CEO, and the MEPs (Members of the European Parliament) took place on 22 May 2018 in Brussels. The intention of the MEPs was to get further information on how the social network plans to protect its users. The meeting in the European capital between Mr. Zuckerberg and the leaders of the political groups of the European Parliament was demanded by the EU following the Cambridge Analytica scandal.

The hearing of Facebook's CEO before the European Parliament is even more important as it took place three days before the GDPR (General Data Protection Regulation) entered into force. With the implementation of the GDPR on 25 May, the EU seeks to improve the protection of personal data of all European citizens. Mr Zuckerberg had previously described this regulation as a "positive step".


The European Parliament saw the meeting with Mr. Zuckerberg as a starting point for the development of new social media platform governance, as the EU wants to establish concrete measures to ensure the continued functioning of the digital single market. 

The MEPs had hoped their meeting might take a question and answer format but, in the end, the hearing took the form of all the MEPs asking their questions at the beginning, and Mr. Zuckerberg only speaking to address those questions at the end. Although the hearing did lead to some responses from Mr. Zuckerberg, many questions remained unanswered. For instance, the CEO refrained from making any clear statements regarding important antitrust issues, the cross-use of data between different services (i.e., Facebook Messenger, WhatsApp) or the fate of data of non-users of Facebook collected through various apps. 

However, Mr. Zuckerberg did provide some answers with respect to certain concerns regarding cybersecurity, data protection and responsibility for content. Given that the format did not allow Mr. Zuckerberg to address all questions immediately, the MEPs and Facebook agreed that Mr. Zuckerberg's team will follow-up on the open issues in writing at a later point.


A few weeks ago, following the Cambridge Analytica scandal, Facebook's CEO apologised before the US Congress, acknowledging that Facebook had not 'taken a sufficiently broad measure of its responsibilities'.

Although the MEPs acknowledged the apologies, reiterated by Mr. Zuckerberg before the European Parliament, they made clear that their expectations go beyond mere excuses. Facebook's CEO was asked to describe the course of events; the steps taken by Facebook to address the issues; its strategy to prevent any further future breaches and whether a similar situation could occur again in the future.

Mr. Zuckerberg explained that Facebook will double the number of people in its security teams to reach 20,000 this year in order to increase its data security efforts, emphasising that "keeping people safe will always be more important than maximizing our profits". 

The changes already introduced in 2015 had allowed the removal of more than 200 applications which had collected data on Facebook's platform. Mr. Zuckerberg assured the MEPs that from now on, applications no longer have access to such a wide variety of data as was the case with Cambridge Analytica. However, he acknowledged that the entire process will require months to complete and will form part of an in-depth investigation. 

In any case, with the GDPR coming into force, Facebook (and all other internet 'giants' providing services to European customers) will be required to meet very high standards in terms of security measures including the implementation of technical and organisational measures to ensure a minimum level of security while being obligated to notify any data breach to the relevant data protection authority within a maximum of 72 hours. If Facebook fails to comply with those requirements, it may be subject to substantial fines (as high as 4% of its global turnover).


Mr. Zuckerberg announced that Facebook will comply with the GDPR as of 25 May 2018 and reiterated that the GDPR's principles, especially accountability and governance, will be applied by Facebook worldwide, and not solely in Europe. However, his statements remained, once again, rather vague as to how that approach will be implemented throughout the social network. Mr. Zuckerberg alleged that certain features have already been integrated into the platform, such as the possibility to eliminate search history and related cookies providing users with the necessary power over their personal data.

Facebook's CEO also took the opportunity to present Facebook's new pro-active data protection approach ('Predict rather than react!') which includes an active and constant investigation process to ensure the banning of suspicious applications. Unfortunately, the pragmatic questions of MEPs on the concrete means to achieve this goal were not addressed. In detail: Will Facebook still collect personal data and sell such data to third parties without the data subjects' consent? Under which conditions and how fast will data subjects be able to have their personal data deleted? Will non-users of Facebook have control over their personal data collected through other apps? What is Facebook doing with such non-users' personal data?

The MEPs made clear that they expect more detailed answers on these crucial issues. In any event, these matters should be closely monitored after 25 May 2018 since the GDPR will impose on Facebook, as well as on all its competitors, the obligation to fully comply with general data protection principles, such as transparency (including information of data subjects of the transfer of their personal data to other countries or to third parties), exercise of data subject's rights (right of access, right of erasure etc.) and accountability. Facebook will thus be required to adhere to these principles and therefore be more 'transparent' on its data practices, especially with regard to the direct communication with its users.


Many of the MEPs' questions touched on the issue of regulation. A large majority of the MEPs made clear that the self-regulation of Facebook would not be sufficient, and thus a regulatory framework will need to be established to ensure an appropriate level of protection. In his response Mr. Zuckerberg stated that the concern should not be about 'self-regulation', but rather about the right level of 'good regulation'. In this respect, he asked for a framework flexible enough to allow innovation but sufficiently regulative to protect its users. 

Mr. Zuckerberg expressed his view that while hate speech, fake news, fake accounts, political bias etc. have no direct link to the services of Facebook, the company did need to take some responsibility in order to cope with such phenomena. Once again, Mr. Zuckerberg made clear that it is Facebook's ambition to proactively flag inappropriate content and remove it as soon as possible.

Yet, the suggested measures to fight against such content remain unchanged: (i) developing an even more powerful AI system and (ii) engaging independent third parties to check the relevant contents and highlight any suspicious information. Unfortunately, it is still unclear how to identify such appropriate 'independent third parties' and what type of AI algorithms would best serve the described purposes. 

Mr. Zuckerberg also reassured MEPs that Facebook is a neutral platform for all sort of ideas. People should be able to share their ideas on Facebook regardless of their point of view. Accordingly, Mr. Zuckerberg promised that Facebook does not target any ideological or political views when deciding on the deletion of information or accounts from the platform. However, the specific algorithms used by Facebook for reaching such decisions, once again, are not yet disclosed to the public. Furthermore, in the absence of any knowledge of the systems implemented by Facebook, how can one be certain that the data collected through AI systems will not be processed for other means? 

Against this background, the MEPs made clear that – whilst Facebook's alleged ambitions and goals are praiseworthy – the public still remain sceptical as to how Facebook intends to implement its new approach towards transparency. In any case, the expectations of the MEPs and the European public have not yet been satisfied.


Following his appearance in Brussels, Mr. Zuckerberg moved on to Paris where he was part of the 50 leaders of major digital companies welcomed by French President Emmanuel Macron, for the "Tech for Good" meeting. Others present included the CEOs of Microsoft (Satya Nadella), IBM (Virginia Rometty) and Uber (Dara Khosrowshahi). 

For Facebook's CEO, the trip to the French capital was also an opportunity to celebrate the three years anniversary of the Paris laboratory dedicated to artificial intelligence 'Facebook AI Research Paris'.

On Thursday, 24 May, Mr. Zuckerberg was present at the opening day of Vivatech, the technology fair in Paris organized by Publicis (French communication group) and 'Les Echos' which brings together more than 8,000 start-ups. Mr. Zuckerberg and Maurice Lévy (Chairman of the Supervisory Board of Publicis) had a panel discussion where Mr Zuckerberg elaborated further on his vision of the future governance of the platform. “Hopefully in the coming six months or year I will come up with some models of community-led governance. One example of this is around having an appeals process … hopefully where I would like to get to, is something like the Supreme Court of a hierarchical court that is more independent that is made up of people who maybe aren’t employed by Facebook but have some understanding of what the policies are and the principles that we are trying to have for the community…So that way if someone in the community disagrees with the decision and the appeal, they can appeal to this broader group who will make decisions that are binding."

He also restated his belief that users should have full control over their data. However, he said users making use, for example, of the new Clear History feature - which will clear all of the browsing history about how user have clicked on things in the newsfeed and the different things users have interacted with on the service - would potentially make the functioning of the platform worse for users as the platform would then have to relearn users' habits and "the ads that [users] see may be less interesting”.