Previously a looming afterthought for compliance professionals and siren song for privacy experts, the European Union’s General Data Protection Regulation (GDPR) was cast under a new spotlight in the congressional hearings of Facebook CEO Mark Zuckerberg in wake of the Cambridge Analytica scandal. While it remains unknown whether Facebook is currently or will be in compliance with the GDPR, Zuckerberg said in his testimony that Facebook will extend the protections guaranteed to EU users under the GDPR to U.S. users.

But the regulation, set to go into effect May 25, sets forth compliance challenges diametrically opposed to how Facebook profits, particularly in crunching and licensing users’ data. And there remains skepticism over the company’s ability to meet the regulatory requirements—Zuckerberg’s own cheat sheet for the hearings reads, “Don’t say we already do what GDPR requires”—particularly those allowing EU users to have their data deleted upon request and stipulating users provide consent before their data is processed.

Facebook’s Challenges