Behind the interrogation of Facebook CEO Mark Zuckerberg in the US Senate this week lies a much more fundamental question about personal privacy, which is applicable in SA as it is anywhere else in the world. Are local laws up to the task of protecting individual personal privacy, not only from Facebook but hundreds of other information collection mechanisms?

The essential problem with Facebook and other digital organisations like it is that while they present themselves as a service organisation for their users, their customers are not, in fact, their users, but marketing organisations, political and commercial, that are buying detailed access to users’ personal information.

Much of this is benign. As irritating as it might be, most people recognise there is some advantage in being the recipient of marketing material because it provides access and awareness to what you might need. Even detailed demographic information can be useful, obviously to the marketing agent, but also to users. What teenager wants car advertisements foisted on them before they are legally allowed to drive? In a sense, it sometimes suits the subjects of marketing for the marketer to have some access to their personal information.

But how much? Recent revelations suggest that political marketing company Cambridge Analytica used a scam to extract detailed personal information on about 87-million Facebook users. The scam was a based on a trivial personality profile tool. But, shockingly, users were asked whether they wanted to share their personal information when they used the tool, and not only their own but also that of their Facebook friends.

It was because Facebook allowed users to not only provide information on themselves but also on their friends that a nondescript digital plaything became an exponentially powerful reaper of personal information.

Facebook not only allowed this to happen, but when it became clear that the information was being used not for academic purposes to research personality but as a database for sale completely unrelated to the theoretical character of the personality test it asked for the information to be deleted but did not check whether it had been and did not report the fact that such a huge data reaping had taken place.

Indeed, the organisation would have been hypocritical to have taken a firm stance against Cambridge Analytica since what that organisation did is hard-wired into Facebook’s own business plan. Facebook itself sells user information to marketers and advertisers, only casually and loosely telling users what it is up to. So it could hardly complain if someone else was doing the same thing.

The South African information regulator has now asked Facebook to contact all South Africans affected by the social network’s data breach and to clarify what it is doing to keep users’ data safe. About 60,000 South African users were affected. Facebook’s most likely response will be a polite letter expressing deep concern and listing urgent measures aimed at doing very little. It cannot do otherwise since its business model is so crucially linked to the purveying of its victims’ personal information.

Perhaps Facebook will do more, and if it does the organisation should be lauded. But in case it does not, legislators should start warming up the legislative process. It should be up to users, not Facebook, what personal information can be shared with marketers. Users’ information should be private by default and users should not be allowed to divulge their friends’ information without the approval of those people. Access to the information on a mass basis should be controlled.

None of this would make Facebook less of a useful tool, and it is easy to get carried away with the moment. More than a third of the population of SA uses Facebook and they are by now aware that they are sacrificing some of their privacy by doing so.

The task is to prevent abuse but not "unlike" the utility that the internet, and Facebook with it, provides.