Data Protection Report - Norton Rose Fulbright

On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users.

The FTC’s investigation leading to this settlement dates back to 2011, when Facebook promised the FTC in a consent decree that it would not share user data with third parties without the express consent of the user. The FTC’s investigation into Facebook’s privacy practices was triggered in March of 2018, when it was discovered that Cambridge Analytica had obtained information on up to 87 million of Facebook users from a researcher who composed a personality quiz app on Facebook. It is suspected that the FTC believed this information was improperly obtained and violated the 2011 consent decree.

Facebook had reportedly expected a fine as a result of the investigation within the range of US$3 billion and US$5 billion, and had set aside US$3 billion during the first quarter as part of the expected fine. However, as of the report on July 12, there is no indication that the FTC has imposed any restrictions on how Facebook handles user data. At this time, the fine is the only penalty or measure reported.

Through the settlement negotiations period in early May, members of Congress sent letters to the FTC, asking that the FTC “compel sweeping changes to end the social network’s pattern of misuse and abuse of personal data.” Thus, the newly announced settlement has drawn criticism, with lawmakers and advocacy groups blasting the settlement by saying that the fine itself was not large enough or would not lead Facebook to change or enhance its privacy practices. For example, Senator Mark Warner, D-Va., stated on July 12 that “[g]iven Facebook’s repeated privacy violations, it is clear that fundamental structural reforms are required… with the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it’s time for Congress to act.” Other members of congress commented that the “FTC just gave Facebook a Christmas present five months early” and described the US$5 billion settlement as “chump change” or a “mosquito bite.”

The settlement has yet to be approved by the Justice Department, though it is expected to approve the agreement.

Our take

Norton Rose Fulbright has not reviewed the settlement itself, but if the reports are accurate this demonstrates a significant shift in US regulatory action. It appears that US regulators have begun to levy fines on the same scale (or in this case over twice as large) as European Union’s GDPR fine structure to punish large companies for mishaps in their privacy practices. Even with the largest fine in FTC history on privacy matters, some of the backlash from Congress signifies that there may be some increasing impetus within the US government to put legislative privacy safeguards in place.