This post was updated on August 8 to include a reference to a reporting of data misuse involving Instagram and a third-party marketing company.
On July 24, 2019 the U.S. Federal Trade Commission (FTC) fined Facebook $5 billion USD as part of a settlement for a series of privacy violations linked to the misuse of data with the company Cambridge Analytica.
Despite the record-breaking size of this fine in the U.S., the agreed settlement between Facebook and the FTC will likely not lead to changes in company behavior nor significant reforms to its privacy invasive practices. The drastically delayed action and the insufficient remedy indicate the FTC is unable to meaningfully protect privacy in the United States under the current framework.
What happened?
In 2018, The New York Times and The Guardian reported stories about Cambridge Analytica, a controversial “data analytics” company, and its relationship with Facebook. It began in 2014 when a group of social scientists led by Aleksandr Kogan created and deployed a personality test called “thisisyourdigitallife” via Facebook. This test allowed researchers to access personal information not only about those who used it but also about their Facebook friends without knowledge or consent. This feature allowed Kogan and his team to harvest the information of about 50 million people which was disclosed to Cambridge Analytica. Cambridge Analytica then analyzed and used the data to create and purchase highly targeted ads that were deployed during the 2016 U.S. presidential election, the UK Brexit referendum, as well as other high-profile elections and debates.
Cambridge Analytica acquired the data from Kogan’s firm not because of a security flaw, a breach, or a hack, but because of a business decision. It is a foreseeable consequence of a common business model: the widespread (over) collection and processing of personal information. Since the revelations of this major misuse of data, both Facebook and Cambridge Anlytica were fined in the U.K., Italy, and now the U.S. for violating privacy and data protection rights.
Why is the FTC decision insufficient to protect users’ rights?
While it is positive to see authorities around the world taking action to enforce privacy rights, the FTC settlement is insufficient.
First, the penalty given to Facebook is insufficient considering the company’s global revenue, estimated at $55.8 billion USD in 2018. Even before the FTC decision was made public, it was widely reported that Facebook had merely written the fine into its quarterly statements as a one-time loss to be offset by earnings. Adding insult to injury, the day the decision was leaked to the press, Facebook’s stock prices skyrocketed, demonstrating that big-scale investors do not necessarily respond to similar FTC privacy-related decisions.
Second, the FTC settlement includes new privacy measures for Facebook to follow, but these are likely insufficient to force Facebook to make meaningful changes on its platform to improve users’ privacy, and will not ensure that a similar violation of users’ rights will not happen again. FTC commissioner Rohit Chopra, who voted against the settlement, said that “The settlement imposes no meaningful changes to the company’s structure or financial incentives, nor does it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.”
What is more, the settlement indemnifies Facebook for any and all claims prior to June 12, 2019, when the decision was reached. This means that, potentially, Facebook could avoid being held accountable for any privacy violations that happened prior to that date, even in the event that an incident which occurred before the cut-off comes to light years later. One such incident could be related to a reported case of data misuse involving a third party marketing firm called Hyp3r that engaged in unwarranted data scraping from Instagram, a Facebook product. The nefarious activity included location tracking and storing Instagram stories, which are supposed to disappear within 24 hours, for an indefinite period of time. Instagram reacted by sending a cease-and-desist letter to the firm and removed Hyp3r from the platform. However, it is unclear how many users were affected by this data disclosure and whether the FTC would be able to investigate the possible privacy and data violations given the indemnity granted to Facebook under the Cambridge Analytica settlement.
So, not only did the FTC drag its feet in responding to the Cambridge Analytica scandal, it also provided Facebook a way to escape potential future investigations. This is absolutely unacceptable as it undermines users’ ability to access remedy in the face of violations.
What is the way forward?
In sum, this disappointing announcement has confirmed that the FTC does not possess sufficient authority for effectively overseeing data protection in the United States.
The U.S. needs a robust federal data protection and privacy law that ensures users’ rights are meaningfully protected across the entire digital economy and the internet value chain. This federal law must be accompanied by an independent data protection commission with resources to monitor implementation, conduct investigations, and sanction entities in case of data protection violations. Until that happens, the privacy and data rights of users in the U.S. and around the world will remain at risk.