In the wake of the Cambridge Analytica scandal which saw some 50 million Facebook users’ personal information collected by a data analytics firm without their knowledge, the social network’s CEO stopped short of promising to extending the privacy protection that it will afford to users in the European Union, to people beyond those borders.

The EU’s General Data Protection Regulation (GDPR) laws, which will go into effect on May 25, allow for increased privacy for users of online services and prescribes strong measures and harsh penalties to prevent the misuse of their data. That’s great for the 28 countries that form the EU, but the fact that Mark Zuckerberg isn’t yet willing to protect other people’s data the same way is worrying.

Speaking to Reuters, he explained that the company is working on drawing up a version of the GDPR to enforce globally:

We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing.

That sounds good on paper, but it remains to be seen just what Zuck & Co. choose to leave out. With a service that’s already used by two billion people across the globe, the CEO’s stance, as well as the recent scandals that have rocked the company, raise a question as to whether Facebook should be subject to government regulation.

That’s a sticky wicket, to say the least: Zuckerberg himself seems open to the idea, while The Washington Post’s former publisher Donald Graham makes some strong points against it (imagine President Trump dictating what’s allowed on your news feed).

Naturally, any sort of conversation concerning the regulation of social networks – where people express themselves, where companies market their products, and where publishers’ content is shared – needs to be as nuanced as possible. While we try to ensure users’ privacy and prevent them from encountering misleading information, we also need to think about what makes a social network useful to us.

To that end, I agree with Graham: there are fairly obvious dangers to letting politicians decide how a company – and by extension, a platform – should run. At the same time, protections like the GDPR seem like they’d go a long way in keeping people safe from having their data exploited.

It’s also worth noting that some countries could use help in protecting their citizens online. India has Facebook’s largest country audience, ahead of the US, but it doesn’t yet have a data protection law in place – and so it wouldn’t be able to hold the company accountable when citizens’ data is exposed. Extending the EU’s GDPR to cover the globe could certainly benefit the 241 million users across India.

Facebook has the potential to be part of the infrastructure that connects people across the world; if that’s the plan, it seems like some degree of government oversight around how it handles critical functions that affect large numbers of people will help both the company and its users. Zuckerberg believes it’ll take years to fix the issues already plaguing the social network; why not consider regulation as part of that process during that time? It would show that Zuck and friends truly cared about their users.

Update: On April 5, Politico reported that Mark Zuckerberg said he planned to have Facebook extended GDPR protections to users across the globe:

We intend to make the same settings available everywhere, not only in Europe. We need to figure out what makes sense in different markets with the different laws and different places. But let me repeat this, we’ll make all controls and settings the same everywhere, not just in Europe.

The Next Web’s 2018 conference is just a few months away, and it’ll be 💥💥. Find out all about our tracks here.

Read next: March in Africa: Uber on motorcycles, Spotify’s arrival, and solar panels