Back in July 2019, the US Federal Trade Commission (FTC) imposed on Facebook the largest fine it has ever issued for privacy violations in relation to the Cambridge Analytica scandal. However, fining a company the size of Facebook alone would be unlikely to make much of an impact and probably not act as enough of an incentive for it to adhere to privacy rules. Corporate structural changes are needed to ensure there is greater transparency and accountability, but also regulators such as the FTC need to have greater oversight to monitor Facebook's activities.
Fines on tech giants for privacy violations will not be enough to encourage a change in practices – structural change is needed
On July 24, 2019, the US FTC fined Facebook an unprecedented $5bn for privacy violations (a figure that represents 9% of the tech giant's total 2018 revenue) and introduced a 20-year compliance agreement in order to ensure Facebook and its apps no longer abuse the personal data of customers. This includes introducing a new privacy structure at Facebook to boost accountability and transparency, as well as new tools for the FTC to monitor Facebook to improve oversight. It is clear that any amount of money set as a fine is unlikely to be sufficient to punish a company of Facebook's size. A corporate structural change has to be introduced to have any major impact. This ensures that the company is accountable for the decisions it makes about its users' privacy.
Prior to this fine, the highest privacy violation penalty was levied at Equifax in the US for $275m, British Airways in the UK at $230m, and $148m against Uber in the US. The penalty levied at Facebook is approximately 20 times greater and is also the largest fine ever issued by the FTC; however, despite this, the regulator had to introduce a raft of additional measures. This follows the privacy scandal, in which Cambridge Analytica improperly obtained information on tens of millions of Facebook users by purchasing data from an academic. The academic used a personality profiling app to collect information from consenting users and, due to lax privacy policies, also from all those users' friends without their knowledge. Facebook didn't cut off this access until 2015, so the company has been accused of not taking adequate steps to deal with apps that it knows are violating its policies. The FTC has understandably ruled that Facebook deceived users about their ability to control the privacy of their personal information.
The order requires Facebook to restructure its approach to privacy from the corporate board level down by establishing mechanisms to change the firm's culture and ensure that executives are accountable for the decisions they make about privacy. The 20-year compliance agreement establishes an independent privacy committee, removing unconstrained control by CEO Mark Zuckerberg over decisions affecting user privacy. At the individual level, Facebook will be required to designate compliance officers that will be responsible for Facebook's privacy program and be subject to approval or removal by the privacy committee. CEO Mark Zuckerberg and the compliance officers must independently submit to the FTC quarterly and annual certifications that the company is complying with the new privacy program and review new or modified Facebook products, services, or practices before they are implemented. Any false certification would lead to individual civil and criminal penalties. The order also enhances the independent third-party assessor's ability to evaluate the effectiveness of Facebook's privacy program and identify any gaps by ensuring that its biannual assessments be based on independent fact gathering, sampling, and testing, and not rely primarily on information shared by Facebook management. The independent assessor will report directly to the new privacy board committee on a quarterly basis and the FTC will use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook's compliance with the order. Finally, the order also requires Facebook to document within 30 days incidents when data of 500 or more users has been compromised, and its efforts to address such an incident as well as several privacy requirements regarding third-party apps, use of telephone numbers for advertising, use of facial recognition technology, and security features such as encryption.
Regulators must take a tougher stance on privacy violations made by tech giants to ensure they take users' privacy and data protection seriously. Introducing new restrictions on Facebook's business operations is an unprecedented move by a regulator but sets the example for other regulators around the world to take similar intrusive and extensive measures against large privacy violators. However, most tech giants are based in the US, so these organizations should now be aware that the FTC is not afraid of imposing major structural changes to their businesses if they fail to comply with privacy rules.
US (Country Regulation Overview), GLB005-000151 (May 2019)
Sarah McBride, Analyst, Regulation