Countless hearings and an eroded reputation. Mark Zuckerberg and Facebook have become the villain of the Internet age in some people's eyes. 

Of all the questions that have been raised, the most frequent and deadly one is whether his social network empire could ensure the safety, as he promised, of the trillions of pieces of personal information that it collected.

Politicians have been grilling one of the most powerful young men of the age for a straight answer. But perhaps, like those equivocal remarks given by Zuckerberg, it's a complicated question that is hard to answer.

What kind of data are social networking companies collecting?

When signing up and using a social networking site, most users are more or less aware that the personal information they've typed in, such as name, gender, age, email address, etc., will be collected by the company that runs the site. When users want to post photos or find more friends online, their photo albums and contacts also become open information to these companies.

It has become a common practice, although many people resist it. By combining different kinds of personal information, social network companies like Facebook can build up an accurate user profile.

"For each of your browsing behaviors, each app will generate a label for you," said He Yuan, Associate Professor of Data Law from Shanghai Jiaotong University. With these labels, the app then knows each user's shopping preferences, the financial situation, social networks, even those little secrets he or she hasn't told anyone in real life. 

Putting together all these pieces of you, the app may then know you better than your best friend - despite the fact that this app will then make a profit with your "friendship." 

Not only that, what has frightened the public in recent years are "shadow profiles."

"Shadow profiles" is a term for collecting personal information from non-users of sites like Facebook. Even if a person has never used Facebook, when his friends give Facebook access to their contacts or other social network information, Facebook will use the data to create a profile of this non-user. However, the non-user has never agreed to Facebook's policies for data collection.

Well aware of the public opinion, Mark Zuckerberg has always been cagey about the existence of shadow profiles, even under the remarkable pressure from the European Parliament.

Can government regulation keep personal data safe?

As social networking giants inevitably get their hands on the data of tens of thousands of people, the critical question becomes: How can the data be kept safe?

The public's concern focuses on two aspects. One is data leakage, such as hacker intrusion, and enterprises failing to fulfill their legal obligations to protect the data. The second is when companies actively share data with third parties or use it for targeted advertising without users' consent.

When data security breaches are exploited, it is not just users whose private data has been compromised that suffer the consequences. It has even led to suspicions that a country's elections could be somehow influenced.

In front of these Internet giants, the power of an individual is minimal. The public is pinning its hopes on strong government regulations to protect personal data.

A common global trend over the past few years has been to tighten legislation. The European Union's General Data Protection Regulation (GDPR) is widely considered the most stringent.

According to He Yuan, the GDPR has "a set of principles of authorizations" emphasizing on the users' consent. And the way in which the data will be used should be transparent. He Yuan stressed in particular that these authorizations should not be generalized, "You have to get one authorization for each purpose." He then pointed out that the accountability principle is also vital in the GDPR. "That is to say, if there is a data leak, then I need to know which company to take responsibility for."

These strict government regulations are hardly lenient. Companies that break the rules often face hefty fines. Therefore, more and more enterprises are also forced to strengthen their self-regulation.

Tripartite trade-offs: privacy, industrial development, and national strength

However, the reality is harsh. Even the most stringent regulation available cannot completely stop the leakage or abuse of personal information.

It is tempting to think of the most conservative of all options: why not just ban companies from storing or using personal data in any way? Or at least ban them outright from using it to make a profit?

"A country with sovereignty certainly has the ability to do such a kind of regulation," He Yuan said, "but what we have to see is that the protection of personal information is not the whole story." 

Data is the new oil. In addition to data security and personal information protection, the whole industry's development and even the international competitions are considered by many as bigger pictures there. 

Social networking companies count on data to build recommendation systems for their growth. Even companies like Google, which covers a wide range of businesses, rely heavily on data to make a profit. In the fiscal year of 2020, more than 80 percent of Google's total revenue was contributed by highly data-driven advertising services.

Even business giants' survival and development are so dependent on the flow of data, let alone small- and medium-sized enterprises.

More critically, data has been considered by major powers as one of the most pivotal sources in international competitions over the past few years.

"The protection of information, or data security," He Yuan underlined, "has become a bargaining chip in international trade negotiations." From his point of view, the reason the strictest rules are established by the EU is because "none of the top 20 Internet companies is from the EU." Its regulations can be that tight because most companies could be somehow hindered in terms of development are all American and Chinese companies. 

"Now, the EU is actually rethinking the extent of its regulation of personal data protection, and it's actually gradually moving towards a balance because the EU is now laying special emphasis on its digital sovereignty. I recently saw an official report from the EU in which it talked about how envious it is of China and the U.S. It thinks the EU needs an EU version of Tencent and an EU version of Google. And at the end, it said something very poignant that 'referees do not win the game.' It means the EU has to become an athlete but not always a referee," he further commented.