After two days of testimony on Capitol Hill, Facebook’s Mark Zuckerberg wants you to know he’s really sorry about that Cambridge Analytica thing, and he’s open to some degree of internet regulation.

Is he truly open to lawmakers clamping down on his business? What, are you kidding?

For all his well-coached humility, Zuckerberg committed to nothing when it came to regulation.

A road map to effective privacy protection was already on the table before Zuckerberg’s appearances last week. On Monday, a coalition of U.S. and European consumer and privacy groups called for Facebook to embrace privacy standards that actually mean something.

The trans-Atlantic Consumer Dialogue said in a letter to Zuckerberg that Facebook should adopt as a worldwide standard the privacy rules that will take effect next month throughout Europe — rules that truly empower consumers.

“There is simply no reason for your company to provide less than the best legal standards currently available to protect the privacy of Facebook users,” the letter said.

The European rules provide “a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered,” it said.

Jeffrey Chester, executive director of the Center for Digital Democracy and co-author of the letter, noted in an interview that as long as any discussion of internet regulation is couched in ambiguous terms, Zuckerberg will say he’s flexible.

Put something concrete before him, and there will be pushback.

Privacy as a fundamental right is the foundation of the European law, called the General Data Protection Regulation.

Among the more noteworthy protections:

Companies must obtain consent from customers before using or sharing their personal information. They also must make it easy for a customer to withdraw consent, if desired.

Consumers have a right to know how their personal data is being used and to receive a free copy of any such information held by a business. And they must be notified of security breaches within 72 hours.

And here’s where the General Data Protection Regulation bares its fangs:

Violations result in a fine of up to $24 million or 4 percent of the company’s annual global revenue, whichever is greater. In Facebook’s case, that’s about $1.6 billion.

During his hours of give-and-take with lawmakers, who for the most part were alarmingly ignorant about the digital world, Zuckerberg was careful not to agree to anything that would undermine Facebook’s primary source of revenue, which is taking user data and making lots of money from it.

In a conference call with reporters last week, Zuckerberg said that Facebook intends “to make all the same controls available everywhere, not just in Europe.”

What does that mean? A Facebook spokesman declined to comment.

Will lawmakers act? Jessica Levinson, a law professor at Loyola Marymount University, said American policymakers “tend to have more reticence to impose government controls than our European counterparts.”


David Lazarus, a Los Angeles Times columnist, writes on consumer issues. He can be reached at