“We’re making a clear and formal long-term commitment to do the things we’ve always tried to do and planned to keep doing — giving you tools to control who can see your information and then making sure only those people you intend can see it.”

After 10 hours of gruelling interrogation by US senators this week, these comments might sound familiar to anyone following Facebook’s latest data privacy scandal.

But they’re actually from 2012, when Zuckerberg apologised to Facebook’s then audience of 800 million users for exposing their private information to advertisers.

It’s also awfully similar to an apology Zuckerberg issued in 2007 — “we simply did a bad job with this release, and I apologise for it” — when Facebook published its users’ online purchases for everyone to see.

And it’s got plenty in common with his apology the year before that — “this was a big mistake on our part and I’m sorry for it” — when Facebook rolled out its Newsfeed with no privacy controls whatsoever.

EXCLUSIVE: The first Aussie victim of the Facebook scandal

CHECK YOUR ACCOUNT: Was your Facebook data stolen?

MORE: Mark Zuckerberg’s body language gave away his poker face

MORE: Even more Facebook users are now at risk

REVEALED: How Facebook became a social nightmare

Zuckerberg and his creation have a long history of “asking for forgiveness not permission,” when it comes to handling users’ information, privacy experts argue, but the approach could be coming to an end.

In addition to this week’s congressional hearings, the world’s largest social network faces fines of more than $2 trillion if found to have broken an agreement with America’s Federal Trade Commission, and it’s the subject of ongoing investigations from Australia, the United Kingdom, Europe, Nigeria, and Indonesia.

But will new laws governing advertisements, user privacy, or even fines really stop Facebook from exploiting users’ information? And, if not, how many Facebook users are ready to walk away and start a new online life?

Zuckerberg’s appearance before US Congress this week was widely watched and just as widely criticised, as he rigidly insisted Facebook did not sell users’ information, that users had complete control over their information, and if they were not satisfied they could leave the social network.

“People often ask what the difference is between surveillance and what we do, and the difference is extremely clear,” he told one US senator.

“On Facebook, you have control over your information. The content that you share, you put there. You can take it down at any time. The information that we collect, you can choose to have us not collect, you can delete any of it, and of course you can leave Facebook if you want.

“I know of no surveillance organisation that gives people the option to delete the data that they have or even know what they’re collecting.”

Zuckerberg admitted he “didn’t get the balance right” when it came to the Cambridge Analytica data breach, however, that saw an app scrape and sell private information from the Facebook profiles of as many as 87 million people, including 311,127 Australians.

And the two hearings also highlighted Facebook’s efforts to track internet users across the web, even if they didn’t actually use the service.

Zuckerberg refused to acknowledge the term “shadow profiles” for this information, but he did admit Facebook tracked the purchases of internet users on any page with a “Like” or “Share” button, or invisible “Facebook Pixel” code.

The US senators discussed potential regulations, including an Honest Ads Act and a Digital Consumer Protection Agency.

Australian Privacy Foundation chair David Vaile says strict regulations and privacy protections against Facebook and other online giants are long overdue, given their history of misusing consumers’ personal information.

Vaile cites examples such as the lack of adequate privacy protections for Facebook’s first 400 million users — for which the company apologised — and the findings of an Irish Data Protection Commissioner audit in 2012 that discovered third parties could access the private information of Facebook users without their consent.

The examples, he says, prove Facebook cannot be trusted with users’ privacy.

“(Zuckerberg) has not demonstrated any type of deep awareness and it looks like they have a regulatory playbook where he asks for forgiveness, puts on a suit, says the right things, and reads heavily crafted spin,” Vaile says.

“You do not negotiate with these people, you do not play nicely with them, you do not treat them like respectable corporate citizens. You have to treat them almost like a rogue state.

“You have to ask, what will it take to get them to take notice? They treat us with contempt if we just get them to agree to something. How about a global fine of four per cent of global revenue? That’s what the Europeans are doing now.”

Changes to European guidelines, called the General Data Protection Regulations, will come into force on May 25 and, in addition to fines, demand new rules around user consent, the right to delete information, and even the right to seek compensation when privacy is breached.

Zuckerberg pledged to roll out necessary changes for European Facebook users, and mirror them in other parts of the world.

The stakes for Facebook are high for Facebook’s audience too. While Facebook insists only advertisers have left the network following the scandal, a study of 1000 users by Creative Strategies shows individuals are disengaging too.

Nine per cent they had deleted their Facebook account, but 17 per cent said they had deleted the Facebook app from their phone, and 35 per cent said they were using the network less often.

“This should be a real concern for Facebook,” analyst Carolina Milanesi says, “as unengaged users will prove less valuable to brands who are paying for Facebook’s services.”

Originally published as Facebook data scandal: Experts argue new laws are urgently needed to protect users’ privacy