naito8 - stock.adobe.com

Zuckerberg responsible for Facebook privacy compliance after $5bn FTC fine

Facebook pays record fine after breaching users’ privacy, following settlements with Federal Trade Commission and Securities and Exchange Commission

Facebook has reached settlements with US government regulators after investigations into the company’s controversial data-sharing practices.

The social media giant has agreed to pay the Federal Trade Commission (FTC) a record $5bn fine as part of a 20-year settlement order.

The fine is the largest ever imposed on a company for violating consumers’ privacy rights, and is almost 20 times more than the previous largest privacy or data security penalty imposed worldwide.

Facebook has disclosed that it faces a further FTC antitrust investigation. The new scrutiny is expected to investigate Facebook’s conduct over its acquisitions, which include Instagram and WhatsApp.

But US law makers, and current and former regulators, have criticised the FTC for failing to go far enough.

The settlement controversially removes any liability Facebook, its officers and directors for privacy breaches before June 2019.

The FTC, which began investigating Facebook last year following Cambridge Analytica’s misuse of data, accused Facebook of failing to comply with the conditions of its FTC settlement from 2011.

The FTC alleged that Facebook had deceived its users by sharing their data with third-party apps, even when users had set restrictive privacy settings.

The FTC accused Facebook of breaking its promise in 2014 to stop third-party app developers from collecting private data about friends of Facebook users who signed-up for apps.

It claimed Facebook allowed the practice to continue until April 2015, and that it went on to allow app developers to continue accessing data about users’ friends until at least June 2018 by secretly whitelisting selected app developers.

Facebook today removed access to friends data from Microsoft and Sony. The social network said it had mistakenly allowed the companies continued access to data belonging to users’ Facebook friends.

Facebook also behaved deceptively by encouraging users to supply their phone numbers to secure their accounts using two-factor authentication, without making it clear that it was also sharing those numbers with third-party advertisers, the FTC said.

Significant privacy requirements imposed on Facebook

The company has agreed to set up a board committee on privacy and new executive certifications to ensure its users are properly protected, under the settlement.

Facebook CEO Mark Zuckerberg will be personally responsible for the company’s data protection practices, having to report to the FTC every three months to prove that user data is being safeguarded adequately.

“The magnitude of the $5bn penalty and sweeping conduct relief are unprecedented in the history of the FTC”
Joe Simons, Federal Trade Commission

The order also imposes other significant privacy requirements on Facebook, including prohibiting it from using telephone numbers obtained to enable two-factor authentication for advertising, requiring it to provide clear and conspicuous notice of its use of facial recognition technology, and forcing it to establish and maintain a comprehensive data security programme.

“The magnitude of the $5bn penalty and sweeping conduct relief are unprecedented in the history of the FTC,” said FTC chairman Joe Simons.

“The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

Democratic commissioners Rohit Chopra and Rebecca Kelly Slaughter, however, voted against the FTC’s decision, saying that it did not go far enough and should have included a higher penalty.

“Mark Zuckerberg, Sheryl Sandberg, and other executives get blanket immunity for their role in the violations. This is wrong and sets a terrible precedent. The law doesn’t give them a special exemption,” Chopra tweeted.

“Facebook’s flagrant violations were a direct result of its business model of mass surveillance and manipulation, and this action blesses this model. The settlement does not fix this problem.”

Although the settlement order does not require Facebook to admit culpability for its alleged actions during the Cambridge Analytica scandal, which exposed the data of more than 85 million users, the FTC has also announced that separate law enforcement actions will be taken against the analytics firm, its former CEO Alexander Nix and Aleksandr Kogan, an app developer who worked with the company.

As part of the proposed settlement, both individuals have already agreed to restrictions on how they conduct business in the future.

Separately, Facebook has also been fined $100m by the US Securities and Exchange Commission (SEC).

The SEC accused Facebook of failing to disclose the risks of its privacy practices to investors, claiming that developers and other third parties may have violated Facebook policies or failed to gain user permission when obtaining the data.

“Facebook misleadingly presented the potential for misuse of user data as merely a hypothetical investment risk,” said the SEC complaint.

“Moreover, when asked by reporters in 2017 about its investigation into the Cambridge Analytica matter, Facebook falsely claimed that the company found no evidence of wrongdoing, thereby reinforcing the misleading statements in its periodic filings.”

Read more about data privacy

  • Facebook’s CEO ruthlessly exploited personal data shared by its users to turn Facebook into the biggest social network, but internal documents show that privacy appeared to be an afterthought for executives.

  • Parliamentarians from around the world gathered in Canada last week to debate the future of regulation of “big tech”, but were frustrated when chief executives from some of the largest technology companies decided not to show up.

  • A criminal investigation into Facebook’s data-sharing deals intensifies the growing scrutiny of the social media behemoth’s business practices.

Computer Weekly has revealed 22 occasions when Facebook violated its users’ privacy, including multiple instances of the firm surreptitiously tracking users’ activity either without consent or in ways that it had explicitly promised it would not.

Facebook came under fire from US law makers in the Senate’s banking committee over its Libra project, who said it takes a “breathtaking amount of arrogance” to launch a global digital currency given the company’s poor track record on privacy.

The company is expected to face further scrutiny from the US Department of Justice’s Antitrust Division, which has announced a review of anti-competitive practices by big tech companies.

The review, into the behaviour market leading online platforms, will look at “widespread concerns” over search companies, social media and some online retailers – putting Facebook, Google and Amazon in the frame.

The Department of Justice plans to assess whether big tech companies have engaged in practices that have reduced competition, stifled innovation or otherwise harmed consumers.

Assistant attorney general Makan Delrahim of the Antitrust Division said: “Without the discipline of meaningful market-based competition, digital platforms may act in ways that are not responsive to consumer demands. The department’s antitrust review will explore these important issues.”

Regulators have historically faced difficulties in carrying out antitrust investigations into companies that offer their services free. But regulators are increasingly regarding companies’ handling of data privacy as an antitrust issue, irrespective of whether services are charged for.

Delrahim argued in a speech in June that privacy is an important element of competition law, saying: “By protecting competition, we can have an impact on privacy and data protection.”

Separately, US state attorneys general have written a joint letter to the FTC urging the regulator to consider issues beyond consumer prices, including the impact on privacy, quality and innovation, in antitrust cases. 

Zuckerberg said in a statement that complying with the FTC agreement would take hundreds of engineers to document and mitigate privacy risks, and that it would necessarily take longer to build new products in future.

“Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone,” he said.

Settlement does not go far enough

The settlement has come in for criticism from politicians and regulators, however, who argue it does not go far enough.

Ashkan Soltani, former chief technology officer of the FTC, said on Twitter that the deal represented a terrible outcome for the regulator.

“Facebook essentially bought a $5bn ‘get out of jail’ card, dictated the press cycle [to be on a day to minimise mainstream coverage] and managed to avoid having Zuckerberg deposed. If his ‘home’ regulator can’t get him on the stand, then nobody can,” he said.

The agreement has some oversight provisions and technical injunctions to address past behaviour, but will do very little to address the future direction of Facebook, including its development of the cryptocurrency Libra.

US Senator Ron Wyden slammed the FTC for agreeing what he called a “sweetheart deal” with Facebook.

“A $5bn fine is not likely to change Facebook’s behaviour moving forward”
Dina Srinivasan

“For a mere fraction of Facebook’s annual revenues, the FTC has given Facebook and executives like Mark Zuckerberg and Sheryl Sandberg blanket immunity for violations of the law that we know about, and even for potential crimes that are still unknown,” he said.

Wyden is backing a privacy bill to give the FTC further powers to hold executives personally responsible if they lie about protecting the data of US citizens. 

“The FTC is sending the message that wealthy executives and massive corporations can rampantly violate Americans’ privacy, lie about how our personal information is used and abused and get off with no meaningful consequences,” he said.

Dina Srinivasan, author of a major study into Facebook’s privacy practices, The antitrust case against Facebook, said Facebook had promised us it would not let other companies gain access to its data, but had provided it to Cambridge Analytica which had used it to target individual voters in advance of the US elections.

“Facebook breached user privacy, interfered with the sanctity of democratic elections, and makes tens of billions of dollars by reducing users’ privacy and micro targeting them. A $5bn fine is not likely to change Facebook’s behaviour moving forward,” she said.

The US Department of Justice’s investigation into big tech companies shows that US antitrust laws are capable of regulating companies that offer free services to consumers, said Srinivasan.

“All of this means that companies like Google and Facebook could now face serious challenges to their business practices. The fact that their services are free will not shield them from antitrust enforcement,” she added.

Despite its regulatory issues, Facebook has exceeded analysts’ expectations, reporting revenues of $16.9bn for the second quarter of 2019.

Next Steps

SEC sanctions financial firms for cybersecurity failures

Read more on Privacy and data protection

CIO
Security
Networking
Data Center
Data Management
Close