One dented social network. 87 million profiles. 44 angry senators. And an ever increasing number of government and state investigators. That’s what’s on Mark Zuckerberg’s timeline. Lewis Crofts, MLex editor-in-chief, reports.

The scandal over Facebook, Cambridge Analytica and online privacy is already taking scalps. There has been a bite out of the company’s share price and political outrage at the power of Silicon Valley. Campaigners have railed against the abuse of privacy. Superstars have deleted their profiles. And there was a public pillaging in hearings on Capitol Hill.

But, despite all that lumped on Zuckerberg and his advisers, there is also a regulatory puzzle to solve. And authorities around the globe have been quick to put Facebook under scrutiny. What’s less clear is what laws have been broken, and what will be the regulatory fallout for Facebook and others.

Facebook has long told its users that they have full control over how widely they share their activities on the social network. What’s been far less clear is that Facebook users for years lacked complete sovereignty over their privacy.

The Cambridge Analytica privacy leak has exposed the degree to which each Facebook user’s privacy was shaped by the choices of their Facebook friends – at least prior to privacy changes Facebook made in 2014.

US regulators at state and national level, as well as lawmakers, are focusing on that previously little-known facet of the Facebook data ecosystem. As a bipartisan, multi-state investigation by state attorneys general takes shape, and lawmakers continue to lob questions, it’s clear that Facebook’s entire applications ecosystem is under scrutiny, not just Cambridge Analytica’s activities.

The investigations are likely to become the most serious challenge thus far to the social media giant’s core business strategy of collecting and sharing its users’ personal information for profit.

Zuckerberg told senators during his hearing that more regulation would be welcome. Cambridge Analytica had breached Facebook’s trust, but ‘it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it,’ Zuckerberg said. ‘We need to fix that.’

For years, Facebook has been able to fend off numerous privacy lawsuits challenging its data-sharing practices. Because the site is free, users have had difficulty proving they suffered financial harm when their information is shared without their consent. In general, those cases have been dismissed or settled for nominal amounts.

This time, the potential harm is both clearer and broader: Facebook’s data practices may have tilted the 2016 US presidential election in Donald Trump’s favour.

The bipartisan state investigation in the US is likely to steer clear of the politically charged question of Russian election interference. But lawmakers, privacy regulators and attorneys generals around the country are certain to demand details about how the world’s largest social network shares information with all third parties.

Zuckerberg maintains that Facebook’s data processing practices are not on trial. ‘You know, one of the big misconceptions about Facebook is this idea that we somehow sell data. We don’t sell any data to anyone, and that’s actually a really key part of the model,’ he said.

Regulators and lawmakers are unlikely to leave it at that.

Questions, questions, questions 

In a letter to Zuckerberg, Senator Edward Markey of Massachusetts and Senator Richard Blumenthal of Connecticut, two of the leading privacy advocates in Congress, asked how many Facebook applications collected ‘friends data’ between 2007 and 2014, and questioned whether ‘other applications misuse or fail to safeguard this data?’.

The two Democrats also asked whether Facebook had ever audited applications to see if they were misusing friends’ data, and said they want to know whether Facebook executives had ‘ever discouraged employees from auditing such external applications’.

Questions sent to Facebook by the attorneys general of a bipartisan coalition of 37 US states and territories have also focused on how the decision by a relatively small group Facebook users to download an app written by Cambridge University researcher Aleksandr Kogan could end up sharing data about tens of millions of their Facebook friends.

Meanwhile, the EU is expecting the US Federal Trade Commission to investigate claims that Cambridge Analytica accessed the personal data of European Facebook users, a commissioner said.

This expectation stems, in particular, from the fact that Facebook is signed up to the Privacy Shield data-protection agreement between the US and EU. Nevertheless, EU officials are still seeking high-level contacts with Facebook. After all, the EU can’t be seen to be leaving it to its American counterparts.

But Věra Jourová acknowledged that ‘what happened in this case probably happened before the Privacy Shield came into force’.

The UK privacy regulator, the Information Commissioner’s Office, is leading the European probe into the company. But it can only issue fines of up to £500,000 ($700,000) for privacy violations. The EU has no power to investigate such a situation, but Jourová said she was ‘horrified’ about the claims.

The UK authority is responsible for the investigation, because the data processing took place there. However, once the facts of the case are known, it’s possible that other privacy watchdogs will launch separate investigations into the impact on citizens in their jurisdiction.

A group of European privacy regulators met last week to set up a working group that would look at wider questions involving app developers. Austria’s lead regulator, Andrea Jelinek, said that Facebook just saying sorry isn’t enough.

And that’s not the end of it. An Italian government body has also opened a probe into suspect commercial practices by the social network, raising concerns over the treatment of user data. And Germany’s antitrust regulator is intensifying a separate probe into the network’s gathering of data from third-party websites.

While neither are directly linked to the Cambridge Analytica saga, they nevertheless shows that regulators in all fields of law and in all countries are turning their sights on Facebook. Who knows what they will find.

For more insight on data privacy and security and other areas of regulatory risk, visit the MLex Market Insight website.