What Facebook’s Data Scandal Really Means for Regulators
(Bloomberg) -- The scandal over the alleged abuse of Facebook Inc.’s user data is unfolding a long way from China, and yet privacy regulators in Beijing have been watching intently.
Their interest shows how all three big players in the technology world -- the Americans, Chinese and Europeans -- are feeling their way to balance the demands of consumers for privacy and of governments for security.
But they’re also competing to shape the rules of the game for internet companies and, for the U.S. and China in particular, to maximize access to data for a bigger goal: to dominate Artificial Intelligence, the next frontier in machine learning.
“All of these governments and companies are in the middle of trying to figure out what data governance should look like,” said Samm Sacks, senior fellow in the technology program at the Center for Strategic and International Studies, a Washington think tank. “And this is happening in a global context that will have implications for trade and for research and development in AI.”
New Chinese privacy standards take effect on May 1. The European Union’s sweeping General Data Protection Regulation enters force just over three weeks later.
Now the prospect of tighter data privacy legislation in the U.S. just got a little closer too. Facebook Chief Executive Officer Mark Zuckerberg is preparing to testify to Congress on how Cambridge Analytica, a company that worked on Trump’s election campaign, secured the data of 50 million Facebook users. That news helped to send tech stocks tumbling in the U.S. and China, a rout that’s continued into this week.
“This Facebook incident sounded the alarm for Chinese data regulators and controllers,” said Lu Chuanying, a cyber-security researcher at the Shanghai Institute for International Studies who helped draft the new data privacy standard for China’s tech companies.
“If that’s a problem for the largest social network platform in the U.S., then that can be a problem for Chinese companies,” as they wrestle with potential responsibility for third-party data abuse, he said.
AI has exploded in recent years as ever more datasets become available to be mined by algorithms.
From robotics, to language and image recognition, to heath care and military applications, many expect AI to drive future economic growth and define great power competition. As Russian President Vladimir Putin put it last year, “the one who become the leader in this sphere will be the ruler of the world.”
China’s President Xi Jinping has set out an ambitious plan to dominate in AI by 2030, overtaking the U.S. It would see gross output from China’s AI industry increase 10-fold within the next three years, to 150 billion renminbi ($24 billion), and to 1 trillion renminbi by 2030.
Lu said that vision plays a part in drafting regulation. He described the stringency of China’s current data-privacy rules as falling deliberately somewhere between the U.S. and the EU. That’s partly because of competitive concerns over access to big data.
The U.S. government’s goal is to maintain its global lead in AI development. The EU, which has no big data-collecting corporations on the scale of Facebook, Amazon.com Inc., or Chinese giant Tencent Holdings Ltd., has said it wants to lead in the ethical use of data. It too, though, is beginning to worry about getting left behind on AI.
A study by Jeffrey Ding for Oxford University’s Future of Humanity Institute published this month found that China currently trails the U.S. in AI capabilities on most metrics, though not on access to big data or the supercomputers to crunch it.
That’s the result of heavy government investment, a 1.4 billion strong population, a higher e-commerce saturation than the U.S., and intrusive government databases that would be politically difficult to maintain in the west.
China is trying to manage access to online information and restrict data exports while legislating for greater privacy rights for consumers in the commercial sector. The tension between those goals is reflected in China's privacy legislation, said Richard Bird, a Hong Kong-based partner in the law firm Freshfields Bruckhaus Deringer.
Though in some ways at least as strict as the EU’s, China’s new privacy standard is non-binding, he said. Meanwhile, the most developed measures to protect personal privacy are, tellingly, in the National Cyber Security law.
Adopted last year, it required companies to store and process locally all personal data as well as any other data that China considers “important.” The U.S. filed a complaint at the World Trade Organization that such a vaguely worded restriction will be used to discriminate against foreign companies.
Then there are the penalties. While the alleged misuse of data in the Facebook-Cambridge Analytica case would breach Chinese law, the potential fine would be capped at 10 times any unlawful gain, said Bird, adding that in practice that means one of up to about $150,000 would be more typical.
Chinese tech companies have issues with the Cyber Security law, too. The government wants commercial internet champions such as Alibaba Group Holding Ltd., Baidu Inc. and Tencent to expand abroad, adding a digital plank to Xi’s One Belt One Road strategy of building infrastructure around the world to expand China’s trade links and influence.
Those same companies have been “pushing back on data localization because they see it potentially hurting them globally,” said Sacks, the U.S. analyst.
Alibaba, for example, might not be able to serve its Chinese customers abroad. Chinese financial institutions could be hobbled by domestic bureaucracy as they try to make international transactions. The tech companies also want clearer privacy regulation to help win the trust of the foreign governments and consumers they need to expand abroad, according to Sacks.
The companies see international growth as important for data access as well as profit. The U.S. may only have a population of 330 million, but Facebook has 2.2 billion active monthly users and all the information that comes with them.
That said, the whole focus on big data as the new oil -- the essential ingredient for a new, AI-based post-industrial economy -- may be overdone, according to Paula Parpart, founder of Brainpool.ai, a U.K.-based company that provides companies with high-level AI engineers.
One reason, she said, is that progress is being made in data analysis that strips out the identity of individuals -- something known as differential privacy.
Another is that what most people call AI is in reality machine learning, using the brute force of big data to perform tasks. True AI requires coming up with algorithms that, like humans, can learn from just one or two examples, rather than thousands. More privacy regulation could force research in that direction.
Even then there could be risks to over-regulation, according to Parpart. If companies like Alibaba or Facebook are restricted too much in terms of the data they can store and how they can use it they may lose the advertising revenue that enables them to fund AI research, she said.
©2018 Bloomberg L.P.