All the money in the world! Facebook agrees to pay USD $5 billion for breaches of privacy laws

Key Points

• Facebook has agreed to pay a record breaking USD $5 billion fine for deceiving 80+ million users about its ability to protect their personal information.

• The multibillion dollar fine is in addition to a $100 million settlement under which Facebook will be required to hand over its privacy decisions to an independent privacy committee.

In a landmark decision, the Federal Trade Commission (FTC), the US consumer regulator, has announced that Facebook has agreed to pay a USD $5 billion (AUD $7.1 billion) fine for deceiving its 80+ million users about the social medial giant’s ability to protect user’s personal information. The multibillion dollar fine is in addition to a $100 million settlement with the US Securities Exchange Commission (SEC).

According to the SEC, under the terms of the settlement:

• CEO Mark Zuckerberg, alongside other compliance officers, will be required to certify that Facebook has taken steps to protect users’ privacy;
• Facebook will have to relinquish some control over its privacy decisions which will be handed over to an independent privacy committee of the Facebook board of directors; and
• the company will be subject to more stringent privacy requirements, including greater oversight over third party applications and the issue of notices in relation to facial recognition tools.

The fine is one of the largest regulatory penalties imposed by the US government and stems from findings that Facebook failed to ensure the destruction of personal information harvested by Cambridge Analytica. If the name sounds familiar, you may recall that in late 2015 the Guardian reported that Cambridge Analytica was assisting Ted Cruz’s presidential campaign by using psychological data harvested from tens of millions of Facebook users in an attempt to gain advantage over the Republican candidate’s competitors. According to the SEC, Facebook discovered the misuse of its users’ information at the time but did not correct its existing disclosure for more than 2 years. Facebook has not admitted or denied the SEC claims.

As to the question of whether the penalties are sufficient given the scale of the breaches, opinions are divided. FTC Chairman, Joe Simons, stated that “the relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continue violations”. Others are not so convinced given that Facebook generated some $22 billion last year. In an open letter to the FTC, Richard Blumenthal of Connecticut and Senator Josh Hawley, a Missouri Republican wrote “If the FTC is seen as a traffic police handing out speeding tickets to companies profiting off breaking the law, then Facebook and others will continue to push the boundaries”. The sentiment is mirrored by many who consider that Facebook, including its CEO Mark Zuckerberg, should face prosecution.

Despite the differences of opinion, the record breaking fine must be considered against the backdrop of recent global changes to rein in privacy breaches and the prolific commoditisation of users’ data. The European Union and the UK have recently made positive strives towards reinforcing privacy protections via the General Data Protection Regulation (more colloquially referred to as the GDPR laws). Similarly, Australia has seen the introduction of the notifiable data breaches regime. These laws go a long way in giving people control over their data and impose strict notification obligations in circumstances where there has been a data breach.

The incident illustrates the need for vigilance and a proactive approach towards privacy protection in an ever-changing technology landscape.

Post by John Kell and Vanja Simic