6 health data privacy takeaways from Zuckerberg's testimony
Facebook CEO Mark Zuckerberg spent two days on the hot seat getting grilled by members of Congress regarding the social media company’s use of consumer data. In separate Senate and House hearings last week, Zuckerberg was both apologetic and defiant in response to questions and allegations from lawmakers about Facebook’s abuse of personal information collected by the online platform.
Zuckerberg was specifically called to Washington to respond to the Cambridge Analytics scandal and Russia’s interference in the 2016 U.S. election. However, he was more broadly questioned about Facebook’s sharing of sensitive consumer data—including health information—with third parties.
Apps that collect information from consumers—and not on behalf a provider, health plan or healthcare clearinghouse—are not subject to the Health Insurance Portability and Accountability Act as either a covered entity or business associate. As a result, developers are not required under HIPAA to protect the privacy and security of consumers’ data, which is not considered protected health information (PHI). It’s a loophole that has gotten the attention of lawmakers in the Zuckerberg hearings.
Congress is now looking to better protect the online privacy of Americans and their data. As a result, Facebook and other social media companies could be hit with more stringent regulations and greater scrutiny of their operations when it comes to their handling of consumer data.
Below are the top six health data privacy takeaways from Zuckerberg’s congressional testimony:
Tougher privacy legislation on way
The Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act, introduced by Rep. Marsha Blackburn (R-Tenn.), would require both Internet service providers and “edge service” vendors—such as Facebook—to give consumers opt-in or opt-out rights for sharing certain sensitive data with third parties including health information. The bill designates the Federal Trade Commission (FTC) as the nation’s sole online privacy enforcer and treats ISPs and edge providers equally. Blackburn and other legislators urged Zuckerberg to support the BROWSER Act. “We will review it and get back to you,” he replied.
Lack of HIPAA oversight when it comes to consumer data is an issue
Congresswoman Blackburn and other lawmakers do not believe that Facebook’s self-policing is enough to ensure that consumer data—such as health information—is sufficiently protected. “A constituent of mine who’s a benefits manager brought up a great question,” Blackburn told Zuckerberg. “She said in healthcare you’ve got HIPAA, you’ve got Gramm-Leach-Bliley, you’ve got the Fair Credit Reporting Act—these are all compliance documents for privacy for other sectors of the industry. She was stunned that there are no privacy documents that apply to you all.”
Questions about Facebook’s use of consumer data remain
Rep. Kathy Castor (D-Fla.) charged that a “devil’s bargain has been struck” by consumers who use Facebook. “Facebook now has evolved to a place where you are tracking everyone. You are collecting data on just about everybody,” Castor told Zuckerberg. “You’re tracking everyone’s online activities—their searches, you can track what people buy, correct? You’re collecting that data—what people purchase online. You’re collecting medical data, correct, on people that are on the Internet—whether they’re Facebook users or not.” However, Zuckerberg disagreed with that characterization.
Facebook has taken steps to protect consumers, but needs to do more
While Zuckerberg said Facebook made “big changes” in 2014 to dramatically restrict the amount of data that developers can access and to proactively review the apps on its platform, he told lawmakers that the company is doing more. “We’re removing developers’ access to your data if you haven’t used their app in three months,” Zuckerberg said. “We’re reducing the data you give an app when you approve it to only your name, profile photo, and email address—that’s a lot less than apps can get on any other major app platform. We’re requiring developers to not only get approval but also to sign a contract that imposes strict requirements in order to ask anyone for access to their posts or other private data.”
Facebook looking to artificial intelligence to help with content review
Zuckerberg acknowledged in his testimony that Facebook should have spotted Russian interference in the 2016 U.S. elections much earlier than it did. “We’re working hard to make sure it doesn’t happen again,” he said, including leveraging artificial intelligence to prevent abuse. “Since 2016, we have improved our techniques to prevent nation states from interfering in foreign elections, and we’ve built more advanced AI tools to remove fake accounts more generally,” added Zuckerberg. “There have been a number of important elections since then where these new tools have been successfully deployed.”
Security is a technology area in which Facebook is making major investments
“We now have about 15,000 people working on security and content review. We’ll have more than 20,000 by the end of this year,” Zuckerberg testified. “I’ve directed our teams to invest so much in security—on top of the other investments we’re making—that it will significantly impact our profitability going forward. But I want to be clear about what our priority is: protecting our community is more important than maximizing our profits.”