While the 2019 Facebook settlement - following the Federal Trade Commission’s (FTC) $5 billion civil penalty for violations of a 2012 order - may not have made the headlines across the globe, its magnitude is historic and will reverberate across many sectors and geographies for years to come. However, it is not just about the mind-boggling size of the penalty (at a moment in time when European data protection authorities seem to be rather conservative in their sanctions), but about the organizational and cultural shift it imposes on Facebook. Undoubtedly, the unprecedented penalty has ensured the attention of companies, and hopefully it will also trigger some much needed soul-searching that will result in a re-shaping of current privacy practices. Here’s why.
Starting from the beginning: what motivated this historic case in the first place? For this, we need to go back to 2012 when Facebook was charged with eight privacy violations by the FTC concerning, but not limited to, “deceptive claims about consumer’s ability to control the privacy of their personal data”.
In an agreement to settle the case, as well as being required to implement a reasonable privacy program, Facebook was prohibited from making misrepresentations about:
— the privacy or security of personal data;
— the extent to which consumer information is shared.
In short: the company was faced with honoring the privacy preferences of its consumers or risking an order enforcement action. According to the FTC, Facebook did not meet the requirements of the agreement and de facto misrepresented the extent to which account holders could control the privacy of their personal data.
The official complaint, in which the FTC alleges that Facebook violated its privacy promises to consumers and subsequently violated the 2012 Commission order, details the ways in which Facebook failed to meet the requirements. For instance, despite offering services such as “Privacy Shortcuts” and “Privacy Check-up” - claiming to limit the access to the user’s personal data through enabling them to manage their privacy settings by, for example, limiting access to just their friends on Facebook - Facebook nonetheless provided access to companies that developed apps used by the user’s friends. Subsequently, information pertaining to the user’s relationships status, work history, religious, and political convictions, as well as their photos and the videos they watched were captured and shared with third parties. Moreover, the settings offered by Facebook to guarantee the privacy preferences of the users were not easily accessible or in the proximity of the section in which consumers were supposedly able to “review and edit the privacy of key pieces of information” . Instead, these settings were stored in a place that was much less obvious.
As mentioned, this settlement is about more than just the money - it goes deeper as it resets the way Facebook has been dealing with privacy to date and, considerably limits the powers of its key figure and founder, Mark Zuckerberg, as regards decision-making on privacy matters.
In addition to having to implement a rigorous program to monitor third-party developers, Facebook must put in place a comprehensive data security program in order to protect consumers’ privacy. Importantly, these programs must also cover companies controlled by Facebook, including Instagram, WhatsApp, and other Facebook-owned affiliates that receive information about its consumers up until 2039.
The FTC order re-writes the privacy map of Facebook by setting up an Independent Privacy Committee as a subgroup to Facebook’s Board of Directors. Importantly, Mr. Zuckerberg, along with Facebook officers and staff are ineligible for membership. The mandate of the Committee includes briefings about all material privacy risks, as well as the right to approve and remove designated Compliance Officers and the new Third Party Assessor.
At the operational level, designated Compliance Officers will implement the Facebook privacy program. This includes documenting each and every material privacy decision and providing this documentation to the third party assessor and the CEO every quarter. Additionally, the compliance officers will have to certify for the FTC that Facebook is fully compliant with the privacy program. Failing to do so will activate closer oversight by the FTC. The Committee will also meet with the Third Party Assessor (“the Assessor”) without Facebook each quarter.
The Assessor is responsible for monitoring and will be conducting independent evaluations of Facebook’s privacy practices every two years.
As mentioned, Mr. Zuckerberg’s role will also change dramatically. As the CEO of the company, he will receive the written privacy program and quarterly reports of privacy decision, and on a quarterly basis, will have to certify that Facebook complies with the privacy program - an untruthful certification could result in civil or criminal penalties.
Mr Zuckerberg has no say in the appointment or removal of the Assessor and the Compliance Officers (this lies with the Committee), and no control over the Committee.
As for the regulator - the FTC - it will have unmatched access to Facebook’s privacy decisions and, upon request, copies of the Assessor’s reports. The order also comes with instruments that will facilitate further access into the privacy compliance of Facebook.
Certainly, many CEOs and Compliance Officers alike will respond to the news of this penalty stating, correctly, that most companies are not Facebook and that this is an extreme case. While this may very well be true, in a data-driven economy dependent on consumer data as fuel, are there really no lessons to be drawn from this precedence?