Facebook may face 'record-setting' fine by US Federal Trade Commission for misuse of user data in 2018

Table of Contents

The United States Federal Trade Commission (FTC) is considering a “record-setting” fine against Facebook, Inc. for violating a 2011 consent agreement, ordering the social media giant to protect the privacy of users’ personal data. The pending penalty is the result of an investigation into Facebook’s business practices following the Cambridge Analytica scandal in 2018, in which tens of millions of users’ personal data was accessed without their consent, and used for a variety of purposes, including political profiling. The scandal prompted investigations in the United Kingdom and the U.S., as well as several lawsuits.

Two letters, one from a coalition of privacy activists, including the Electronic Privacy Information Center (EPIC), and another from U.S. Senators Edward J. Markey and Richard Blumenthal, urge the FTC to continue the investigation despite the government shutdown, and impose the maximum fine under the law for violating the 2011 consent order.

“Based on the duration of the violations, the scope of the violations, and the number of users impacted by the violations, we would expect that the fine in this case would be at least two orders of magnitude greater than any previous fine,” wrote the coalition of privacy activists. “Thus, if the agency fined Google $22 million in the Safari hack, a significant matter but also a discrete violation of a preexisting order, we anticipate that the fine against Facebook would exceed $2 billion. This would be a much larger fine than the FTC has issued in the past but not inconsistent with the fines that large firms often face when found guilty of far-reaching practices that violate the rights of consumers.”

According to EPIC, Facebook has repeatedly violated the consent order, but has so far avoided any punitive action. This time, due to the high-profile nature of the Cambridge Analytica scandal and the increased scrutiny placed on tech giants by regulators on both sides of the Atlantic, activists expect a penalty that will send a message. “The agency now has the legal authority, the evidence, and the public support to act,” said Marc Rotenberg, executive director of EPIC. “There can be no excuse for further delay.”

The consent agreement

The crux of the issue is the 2011 consent agreement, and whether Facebook violated the agreement. The agreement came about after a complaint filed by EPIC revealed the deceptive practices at the core of Facebook’s privacy policy. The FTC can only impose a fine if the agreement was indeed violated. In a November 2011 press release, the FTC outlined the spirit of the agreement:

The … settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established … [and] bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

The press release lists several examples of Facebook’s deceptive practices in regards to privacy, including lying about third-party developers’ accessibility regarding user data, the privacy statuses of the data, selling data to advertisers and being in compliance with the U.S.-EU Safe Harbor Framework.

To prevent these deceptive practices, the agreement lists nine separate sections with orders for Facebook, including:

  • Maintaining accurate documentation of compliance with the order and keeping records of any complaints.

  • The establishment of a data privacy program designed to address risks and protect covered information; protect data from third parties.

  • Clearly disclose how data is used and where it goes and obtain affirmative consent from users.

  • The requirement, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

EPIC’s recommendations

There is widespread agreement in political, tech and social circles that something has to change in order to curtail the power of tech giants like Google LLC, Amazon.com, Inc., Microsoft Corp. and Facebook.

In the letter sent to the FTC, EPIC and the coalition of privacy advocates had several suggestions that revolved around the idea that some of these companies are just too big, including restructuring Facebook to allow WhatsApp Messenger and Instagram to spin off and become independent entities again. The letter also calls for more diversity in hiring practices and a restoration of democratic governance — which, in this case, means restoring the “right of Facebook users to have meaningful input into the company’s decisions or to recommend to Congress that Facebook be regulated as a public utility.”

Another EPIC suggestion is to have the company formally adhere to Fair Information Practices, a code “that describes how an information-based society may approach information handling, storage, management, and flows with a view toward maintaining fairness, privacy, and security in a rapidly evolving global technology environment.”

The principles were first laid down in 1973 following a report by an advisory committee of the U.S. Department of Health, Education and Welfare. The resulting report, Records, Computers and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, set forth the following principles:

  • There must be no personal-data record-keeping systems whose very existence is secret.

  • There must be a way for an individual to find out what personal information is in a record and how it is used.

  • There must be a way for an individual to prevent personal information obtained for one purpose from being used or made available for other purposes without consent.

  • There must be a way for an individual to correct or amend a record of identifiable personal information.

  • Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.

These principles would eventually become the Organization for Economic Cooperation and Development Fair Information Practices, codified in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The guidelines form the basis for many data privacy regulations around the world, but without a robust investigation and remediation mechanism in place, there is nothing to stop big tech companies from agreeing in spirit to the principles, then violating those principles through actions that further the bottom line. How the FTC handles the investigation into Facebook’s alleged violation of the 2011 consent order — and what they decide to do if there was indeed a violation — will send an important message: Either the government is not yet ready to impose strict requirements and penalties on the private tech sector, or stricter controls are on the way to curtail big tech and the abuses that can often stem from their power.

Takeaways

  • The U.S. Federal Trade Commission is demonstrating its willingness to investigate data privacy violations and issue record-breaking fines when appropriate. For tech companies that collect and process data in the U.S. and have enjoyed a relatively regulation-free environment, this development points to stricter regulation and enforcement in the wings.

  • Facebook repeatedly violated a consent agreement signed with the government in 2011, and was able to get away with it. The current investigation and possible fine means that times have changed: the data collection “honeymoon” is coming to an end, and privacy and data protection are now major priorities for public and private watchdogs.

This publication is only available to subscribers. To view all documents, please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings