US Federal Trade Commission fines Facebook $5 billion for Data Privacy Violations

The probe into Facebook’s Data practices began in March of 2018 following revelations from the Cambridge Analytica Scandal. It was revealed that Facebook had allowed the data mining firm to have access to the data of  over 87million people. Cambridge Analytica is also being sued over privacy violations and has settled with its former CEO Alexander Nix and its external researcher, Aleksandr Kogan, who developed the third party Facebook app that collected user’s personal information. Even though Cambridge Analytica has now filed for bankruptcy and is yet to settle the allegations, they have both agreed to restrictions on how they handle business in the future and to destroy all personal information gathered using their app.

Facebook without admitting to or denying the allegations, has also agreed to pay a separate $100 million fine to the Securities and Exchange Commission for misleading investors on disclosures regarding the risks from misuse of user data which it presented as a hypothetical issue for the last two years despite being aware about third party apps having access to their data since 2015. Facebook has further agreed to be more transparent with users on the use of third party apps and privacy practices, create an independent privacy committee on its board of directors which authorities believe will remove “unfettered control by Facebook CEO Mark Zuckerberg over decisions affecting user privacy” but also to carry out regular check ups on the way it processes data.  

The fine is however deemed insufficient punishment by some of the FTC’s members. The two Democrats on the five member commission believe that the fine will not be enough to change Facebook’s behavior with regards to Data Privacy. Commissioner Rohit Chopra said in a dissenting statement;

“The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations….Nor does it include any restrictions on the company’s mass surveillance or advertising tactics.”

Privacy advocates and lawmakers also believe that the settlement is insufficient in guaranteeing transparency and accountability in the processing of personal data of US users. They argue that Facebook has violated earlier agreements because there is simply a lack of comprehensive US privacy legislation with solid enforcement mechanisms and increased rights of consumers such as the ability to sue for data breaches as is the case with Europe and the General Data Protection Regulation (GDPR). Rather the US has a bunch of sector-specific laws like the Health Insurance Portability and Accountability Act (HIPPA) and the Children’s Online Privacy Protection Act (COPPA) that are deemed insufficient to ensure the respect of data privacy. This can be seen with the recent data breach at Equifax and Yahoo. There is also a variation between State Laws and Federal Laws. Some states are more advanced than others with regards to Data Privacy regulation with states like California which has passed the California Consumer Privacy Act passed in 2018 than goes into force in January 2020 which gives individuals in this state similar rights as those in the GDPR regardless of where the companies processing their personal data are based; such as the right to opt in or out, right to data portability, right to request specific information from businesses. Even though, this text is still lacking as compared to the GDPR when it comes to obligations imposed on businesses and certain rights of consumers like the right to be forgotten and the right to rectification, it is evidence of the increase in regulation with regards to data privacy and a warning to companies that they will need to expend greater effort to achieve compliance with regulations in the years to come especially with the call for a single data-protection legislation at federal level to harmonize the differences between state and federal requirements. This is a complex procedure which may take time but could be the ideal solution. Rather than adding layers to the myriad of already existing regulation, countries could go even further by aiming for a single global data privacy regulation which could be ideal. The EU has managed to harmonize the rules in its member states, so why not dream of a global regulation that would harmonize the global exchanges and avoid the tussle between countries or geographical areas with texts likely to contradict or to neutralize themselves .

 The FTC therefore has restricted powers as compared to other national data protection agencies such as France and other EU countries where individuals can be held personally liable and incur both civil and criminal sanctions. It thus could not personally implicate Mark Zuckerberg even if it wanted to and would have seen itself ensued in a long litigation process. It is however undeniable that this sets an example that no other Data Protection Agency in the world has been able to set when it comes to financial magnitude of this sanction.

Facebook has seen its revenue grow since the start of the scandal and it is therefore arguable that this settlement’s effect will not be significant on its shareholders. However, in terms of awareness it is set to make companies of all sizes and in all geographical locations realize that the cost of data privacy breaches is increasing even outside of the EU which has the reputation for the current strictest data protection policy and this could have a significant impact on the revenue generated by these companies. Legislation is in place to regulate tech not to hinder tech but consumers must be protected in this era where data is the major cash-cow. This might therefore only be the start of problems for Facebook and other tech giants who are facing a lot more scrutiny when it comes to consumer protection as the US Department of Justice just launched its broader antitrust investigation into the practices of market-leading online platforms. 

Both the industry players and  users have a somewhat particular relationship with these American tech giants (GAFAM in particular) who they accuse of questionable practices (Privacy, antitrust, tax) but they are almost indispensable. Only the authorities of the learned and independent authorities can restore order. In the meantime, LegalUP Consulting encourages both big and small to “put their own houses in order” and we invite you to consult our Indispensable Services and our Online Services that can assist you with compliance.