Facebook CEO Mark Zuckerberg testified for the second time in two days in front of a Congressional joint committee in an event that was followed closely by both tech and political circles. The interaction which lasted almost five hours saw fifty-four US Congressmen and Congresswomen from various states question the Facebook boss about the company’s failure to guard user privacy following the Cambridge Analytica scandal. Zuckerberg was pushed harder than he was on day one of the hearings as various legislators called out Facebook for failing to protect user privacy. There were also concerns raised about possible surveillance and censorship propagated by Facebook. Zuckerberg continued to stick to the script but looked far less at ease on day two.

Here are the most notable stories emerging from the Congressional hearing:

Did Facebook violate its FTC agreement?

Members repeatedly pressed Zuckerberg on whether his company’s handling of the Cambridge Analytica affair means that Facebook violated its 2011 consent decree with the Federal Trade Commission (FTC), which required the social network to protect users’ privacy in line with what they expect. One major bone of contention was that why did Facebook not inform FTC about Cambridge Analytica back in 2015 when they found out that user data had been syphoned off. Zuckerberg kept insisting that he did not consider informing the FTC about the Cambridge Analytica incident as a requirement of the agreement that Facebook had made with the regulatory body.

Congressman Robert Latta asked, “Why didn’t the audits that you had to submit under the FTC consent decree find these problems?” Zuckerberg again gave a canned response that Facebook believes it has complied with the decree. Privacy experts have suggested that the company may well have broken that FTC deal and could be liable for fines amounting to $40,000 per violation — possibly totalling many billions of dollars.

It must be noted that all this ambiguity might end soon as the FTC announced in late March that it is investigating the Cambridge Analytica incident. The FTC has been making due with only two members out of five, but it is on track to return to full strength, with five new commissioners awaiting confirmation.

GDPR protections will be for everyone

Facebook which has to comply with Europe’s General Data Privacy Regulation which comes into effect in May will expand said protection to all its users, even the ones outside of Europe. “The GDPR has a bunch of different important pieces,” Zuckerberg said. “One is offering controls over — that we’re doing. The second is around pushing for affirmative consent and putting a control in front of people that walks people through their choices. We’re going to do that, too. … We’re going to put a tool at the top of people’s apps that walks them through their setting.”

Pressed for a clearer answer by Congressman Gene Green, “And you commit today that Facebook will extend the same protections to Americans that Europeans will receive under the GDPR?” Zuckerberg replied yes. The GDPR imposes requirements on how user data is collected, and how user data must be deleted at the user’s request.

Zuckerberg’s own profile was harvested by Cambridge Analytica

The Facebook CEO was among the 87 million people whose data was improperly obtained by Cambridge Analytica. That revelation came thanks to a question from Congresswoman Anna Eschoo who asked, “Was your data included in the data sold to malicious third parties? Your personal data?” “Yes,” Zuckerberg answered. He didn’t offer any additional information. It’s unclear if Zuckerberg installed the “thisisyourdigitallife” app himself or if his data was collected through one of his friends.

Push for protecting data from minors

Congressman Joe Barton pressed Zuckerberg to create new privacy protections for Facebook users under the age of 18. “Is there any reason that we couldn’t have just a no-data-sharing policy, period, until you’re 18?” Barton asked. “Nobody gets to scrape it; nobody gets to access it. It’s absolutely, totally private. … What’s wrong with that?” Zuckerberg did not commit to adding additional privacy protections. His defence, “The reality that we see is that teens often do want to share their opinions publicly.” It seems that the Facebook CEO was conflating public posts made by teenagers with data that is collected from their profile by Facebook.

Shadow profiles

One of the biggest stories from the hearing was Zuckerberg’s tacit agreement that Facebook did collect data about users who have never signed up for Facebook. Congressman Ben Luján asked Zuckerberg about something called shadow profiles – a term for non-user data collection that Zuckerberg was apparently unfamiliar with.

Luján asked, “It’s been admitted that you do collect data points on non-Facebook users. So my question is, can someone who does not have a Facebook account opt out of Facebook’s involuntary data collection?” Zuckerberg responded by saying, “Congressman, anyone can opt out of any data collection for ads, whether they use our services or not. But in order to prevent people from scraping public information, we need to know when someone is trying to repeatedly access our services.” Luján quickly demolished this argument saying, “You’ve said everyone controls their data, but you’re collecting data on people who are not even Facebook users, who never signed a consent or privacy agreement and you’re collecting their data.”