Following a year-long investigation into Facebook's role in the Cambridge Analytica privacy saga (which we have written about previously here), the US Federal Trade Commission (FTC) and Facebook have reached a settlement whereby Facebook will be required to pay US $5.1 billion for violating a previous settlement order with the FTC.
Although the amount of US $5.1 billion has taken out the record for the largest privacy fine in history (being 20 times greater than the largest privacy/data security penalty previously imposed worldwide), critics including the two Democrats who opposed the settlement are not satisfied, claiming that it did not go far enough.
Significantly, the settlement does not require Facebook to make meaningful changes to its business model and the way it operates, allowing it to continue harvesting user data and targeting users through its powerful advertising business. This is in stark contrast with Australia's recent recommendations made by the competition and consumer regulator in its digital platforms inquiry where it makes economy-wide recommendations that will impact current business practices (which we outline below and further summarise here).
In addition to paying a US $5.1 billion fine, which equates to only nine per cent of its 2018 revenue, Facebook will be required to make various improvements to the way it approaches data privacy, including through greater involvement and oversight at the most senior levels. Specifically, Facebook must:
- create an independent privacy committee comprising of board members to oversee its privacy program, who can only be removed by a two-third vote of Facebook's board – thereby removing CEO Mark Zuckerberg's previously unfettered control
- submit to the FTC quarterly and annual privacy compliance statements independently certified by Mr Zuckerberg to demonstrate compliance with its privacy program
- appoint an independent privacy assessor approved by the FTC to monitor and provide quarterly assessments to the privacy committee regarding the privacy program
- conduct privacy reviews for every new or modified product, service or practice (including with respect to third parties) before implementation and generate quarterly privacy review reports to be shared with Mr Zuckerberg and the independent privacy assessor, as well as the FTC upon request.
Although these requirements go some way to ensuring oversight of Facebook's compliance with its privacy program, the issue remains that Facebook itself will be creating its own privacy program to comply with.
More to come?
It is unlikely that it will end here for Facebook – it has also agreed to pay US $100 million to the Securities Exchange Commission for misleading its investors and is subject to ongoing investigations, including by the FTC for antitrust violations and European data protection authorities for contravening the General Data Protection Regulation potentially exposing Facebook to further hefty fines.
Not so fine in Australia
The FTC settlement with Facebook is very different to the recent recommendations made by Australia's competition and consumer regulator in its digital platforms inquiry where it expressly acknowledges the impact of the digital giants' business operations on privacy, competition and consumer protection issues. The ACCC's recommendations, if implemented, will force changes to current business practices economy-wide. Key recommendations include:
- changes to search engines and internet browser defaults
- the introduction of an enforceable Privacy Code of Practice for digital platforms (including strengthened consent requirements with multi-layered notices about data practices that do not increase the information burden on consumers)
- a regulatory branch of the ACCC charged with proactively investigating, monitoring and enforcing issues in digital markets
- further investigation into data portability and interoperability and the opacity of the ad tech supply chain where any potentially anti-competitive practices can be impossible to detect.
Although Facebook was not required to make fundamental changes to its business model, it would be an opportune time for organisations reliant on user data to review and re-think their business models for privacy compliance in order to ensure long-term success and sustainability. Australian businesses economy-wide (including Facebook), will also need to do this in light of the ACCC's recommendations once implemented, but for a wider range of issues including privacy, consumer and competition considerations.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.