Information & Ethics Committee on May 28th, 2019

Artificial intelligence is a great lever to help us identify this. It is not perfect. It is not salient where it will get 100% of the activity right, just as humans we will not get 100% of the activity right. I would have to check on this video specifically, but if we were made aware of this video, we would remove it. This is a very straightforward call.

Mr. Potts, if you do some homework and check, local Muslim leaders flagged it to Facebook, and Facebook did not take it down despite being aware of it, despite it being, as you say, a clear breach of your own policies. I'd like to know why.

Sir, I would have to see how the content was shared. The way that you have—

You said, Mr. Potts and Mr. Chan, that both of you are content specialists. You are domain specialists. You're here in place of Mr. Zuckerberg and Ms. Sandberg, and you should know. This happened a few months ago, so why was it not taken down despite Facebook being aware of it? Can you explain?

I'm trying to explain that I don't know that premise. I'd have to check to make sure that we were actually aware. I do not believe that we were aware of that video at the time.

Let me suggest to you that you didn't remove it because such content is sensational. It incites fear, violence, hatred and conspiracy theories. As Mr. McNamee explained to us earlier, that is what drives eyeballs to your platforms. It's what drives users to your platforms and that is the engine room of your profit mechanism.

Mr. Tong, I reject the premise. I reject that wholeheartedly. If we know that something is hate speech, if we know that it is causing violence, we actually move more swiftly.

We had a discussion earlier about misinformation. If we know that misinformation is actually leading to physical harm and violence, we work with trusted partners on the ground, civil society and others, to flag that for us—law enforcement even—and then we will actually remove that content.

Mr. Potts, Facebook was told about this. You can check. Facebook was also told about the problems in Sri Lanka on March 2018 by the Sri Lankan government. It refused to take it down on the basis that it didn't infringe on your own policies. Mr. McNamee says that as a result, governments in Sri Lanka, in Indonesia and in India have had to take proactive action to shut down social media such as Facebook and WhatsApp. Is that how you want this play out?

Can we trust the policies you have in place? Can we trust that what you do and put in place, checks to seek out and remove such content, will actually work?

Thank you, Mr. Chairman. We're delighted to be here this afternoon.

I'll start by listing out my questions for you, and the social media companies can answer afterwards. I have about three questions here. The first is in relation to data protection.

It's very clear that you're all scrambling to figure out how to make privacy rules clear and how to protect users' data. The inception of GDPR has been a sea change in European data protection. The Irish data protection commissioner now has the job of effectively regulating Europe, given the number of social media companies who have their headquarters based in Ireland.

In the 11 months since GDPR came into force, the commissioner has received almost 6,000 complaints. She has said that her concentration on Facebook is because she didn't think that there would be so many significant data breaches by one company, and at one point, there were breaches notified to her under GDPR every fortnight, so she opened a consolidated investigation to look at that. I want to ask Facebook if you can comment on her remarks and why you're having such difficulty protecting users' data.

Also, for this next question, I might ask Google and Facebook to comment. I and my colleague James Lawless and deputy Eamon Ryan met earlier this year with Mark Zuckerberg in Ireland, and he said that he would like to see GDPR rolled out globally. Some of Facebook's biggest markets are in the developing world, such as in Asia and Africa, and out of the top 10 countries, there are only two in the developed world, the United States and the United Kingdom. Some experts are saying that a one-size-fits-all approach won't work with GDPR, because some regions have different interpretations of the importance of data privacy.

I would like to get Google's viewpoint on that—What is your view is in relation to the rollout of GDPR globally? How would that work? Should it be in place globally?—and in relation to the concerns around the different interpretations of data privacy.

Finally, due to the work of our communications committee in the Oireachtas—the Irish parliament—the Irish government is now going to introduce a digital safety commissioner who will have legal takedown powers in relation to harmful communication online. Given that Ireland is the international and European headquarters for many social media companies, do you think that this legislation will effectively see Ireland regulating content for Europe and possibly beyond?

Whoever would like to come in first, please comment on that if you could.

Thank you, ma'am. I want to indicate that Neil and I spent some time with our Irish counterparts, and they have nothing but complimentary things to say about you, so it's nice to meet you.

With respect to the question of breaches that you mention, obviously we are not aware of the specifics that would have been sent to the Irish data protection authority, so I wouldn't be able to comment specifically on that, but I would say our general posture is to be as transparent as we can.

You—and various members at this committee—will probably know that we are quite forward-leaning in terms of publicly revealing where there have been bugs, where there has been some information we have found where we need to pursue investigations, where we're made aware of certain things. That's our commitment to you but also to users around the world, and I think you will continue to hear about these things as we discover them. That is an important posture for us to take, because we do want to do what is right, which is to inform our users but also to inform the public and legislators as much as possible whenever we are made aware of some of these instances.

We want to be very transparent, which is why you will hear more from us. Again, unfortunately, I cannot speak to the specifics that the DPA was referring to.

Google, can I have your comments, please?

As we outlined in our opening remarks, we look for international standards that are applicable across a variety of social, cultural and economic frameworks. We look for principle-driven frameworks, particularly in data protection. That has been the history with GDPR as well as the previous OECD principles.

The extension of GDPR beyond its current boundaries is something that is preferable. The question is, how does it adapt to the particular jurisdictions within which it has to operate, considering that the European environment and the history of data protection in Europe is very different from elsewhere in the world, especially the portions of the world, whether Africa or Asia, that you identified?

We're in agreement there. We have been applying the protections that are given to Europeans on a global basis. The question is, what does that look like within a domestic jurisdiction?

On your second question around a digital safety commissioner, I'll turn it over to my colleague Derek.

Thank you very much, sir. I understand from one of my colleagues in Canada that she spent some time with you yesterday at a round table. Thank you very much for the invitation.

With respect to the various platforms, our terms of service and our user data policy does underline the fact that we will share data infrastructure between various services, as you know. A big part of it, to be quite frank, is to ensure that we are able to provide some degree of security measures across platforms.

Facebook is a platform where you have your authentic identity. We want to make sure people are who they say they are, but there are lots of good reasons why you will want to have similar kinds of measures on the Instagram platform, for example. There are many instances where—and you would have heard of these in terms of even some of our coordinated inauthentic behaviour takedowns—to be able to do adequate investigations across the system, we actually have to have some ability to understand the provenance of certain content and certain accounts. Having a common infrastructure allows us to very effectively deal with those sorts of challenges.

Yes, and it allows you to very effectively aggregate the data, increase the knowledge of the user and also increase the profit. Isn't that the reason behind it?

It would be possible to, again, give all the users the ability to decide on that. That would be very easy, but I think it would also be very costly for you.

I think, sir, what you're touching on in terms of the broader arc of where we're going is correct. We do want to give people more control. We want people to be able to—

Okay, but why then are you working against that ruling in Germany?

I think the nub of this is again the question that Mr. Erskine-Smith raised: Where do the limits of competition policy start and end versus the limits of privacy?

Okay. Thank you.

I also want to go to Google. You mentioned that you need clear definitions of unlawful speech. I looked into Germany's transparency report and it turns out that of 167,000 complaints in Germany, it was only in 145 cases that your colleagues needed to turn to specialists to determine whether or not this was unlawful speech. Why, then, do you think this is really a problem? Is it really a problem of definition or is it really a problem of handling the number of complaints and the massive amount of hate speech online?

That's a very important question. The NetzDG is a complex law, but one of the pieces that is relevant here is that it calls out, I believe, 22 specific statutes that it governs.

Actually, the NetzDG basically says that in Germany, you need to comply with German law—full stop.

I understand that, and it says, with respect to these 22 statutes, “Here is your turnaround time and your transparency reporting requirements, leading to the data you had.” I think part of what is important there is that it refers specifically to clear statutory definitions. These definitions allow us to then act on clear notices in an expeditious manner as set within the framework of the law.