It would be easy for bank CEOs to breathe a sigh of relief that, after years of getting pummeled by lawmakers in high-profile, televised hearings, it was someone else’s turn this time.
But while it may have felt satisfying to watch another CEO — not to mention a fresh-faced tech billionaire — handle the pressure of the congressional hot seat, such a reaction misses the bigger takeaway for banks from Mark Zuckerberg’s appearance on Capitol Hill Tuesday afternoon.
That is: Attitudes about data privacy — both in Congress and among the general public — are changing, and banks better listen up.
During hours of questioning from the Senate Judiciary and Commerce committees, the Facebook CEO apologized repeatedly for not doing enough to protect the personal information of his company’s users. The hearing came amid revelations that Cambridge Analytica, a data firm with ties to President Trump’s 2016 campaign, improperly accessed the data of as many as 87 million users.
Zuckerberg’s highly anticipated appearance also came as Facebook continues to deal with the fallout from revelations that the social media platform was used by Russians to disseminate false and divisive information during the election.
“It was a big mistake, and it was my mistake,” Zuckerberg said during the hearing, adding that he didn’t take a “broad enough” view of his social responsibility. “I’m sorry.”
Zuckerberg remained contrite as 44 members from both committees — representing nearly half of the Senate — took turns probing him with questions, on topics ranging from whether Facebook collects data from other apps that customers use, to the various ways the company tries to gives its users control of their data.
What made his appearance different from other CEO drubbings in Congress, though, was the sense that it marked the beginning of a much broader public policy debate about how companies should use the personal data they have on customers — and what kind of consent they should they should obtain in doing so.
Banks clearly have a big stake in that conversation. More so than other types of companies, they view themselves the preeminent gatekeepers of personal information.
“This privacy issue is a big deal,” Jamie Dimon, chairman and CEO of JPMorgan Chase, said last month when asked what advice he would give Facebook as it navigates its recent debacles. “All of that data, location, shopping, sites, places you visit — all of that information is being accumulated and sold and marketed around the world.”
Consider the recent consumer banking app announced by Citigroup, which said in late March that it will provide financial advice to anyone, including noncustomers, in exchange for their personal data. Or the move by JPMorgan last year to create a way for its customers to share data with Intuit, the owner of Mint and TurboTax, without having to fork over their passwords.
And there have been less flattering examples of the financial services industry’s ability to safeguard consumer data, such as the cyberattack at Equifax, in which 145.5 million consumers had their personal data stolen.
During the hearing, several senators made nods to potential ways to address the issue of data privacy through legislative action.
“If Facebook or other online companies cannot fix privacy invasions, then we are going to have to,” Sen. Bill Nelson, D-Fla. “How can American consumers trust folks like your company to be caretakers of the most personal and identifiable information?”
Among the options floated was a bill, sponsored by Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., to provide a “privacy bill of rights” for consumers.
Sen. Brian Schatz, D-Hawaii, suggested that lawmakers should require tech companies to act as “information fiduciaries,” in the same way that attorneys, doctors and financial advisers are required to protect the information of their clients. It’s a concept that has been advocated by Jack Balkin, a constitutional law professor at Yale.
Meanwhile, several senators, including Lindsey Graham, R-S.C., questioned whether European countries “have it right” in terms of how they regulate data privacy. The European Union last year adopted strict privacy regulations designed to give customers more control over their personal information.
“I think they get things right,” Zuckerberg said of the Europeans, in response to Sen. Graham’s question, prompting laughter from the audience.
It remains to be seen whether the uproar over Facebook’s mishandling of consumer data results in new laws or regulation. Also unclear is what role banks will play in the debate to come.
With Zuckerberg scheduled to testify in the House on Wednesday morning, though, it’s clear that the conversation is just getting started.