So who won the bout between Facebook and the U.S. Federal Trade Commission? Everyone and no one.
One the one hand, both sides can claim victory. The FTC imposed its largest privacy fine ever, 200 times over, came up with new stringent compliance obligations, and did so while avoiding long, costly and, most importantly, risky litigation. Facebook shielded its senior executives from liability, obtained immunity from years’ worth of questionable practices, and did so without changing its underlying business model.
Interim score: 1 to 1.
On the other hand, both sides came up short. The FTC had to reconcile with its institutional weakness in this space. Absent a legislative mandate, it can neither change Facebook’s underlying business practices nor punish it or its executives for actions that may have violated a previous agreement but are unlikely to have violated any law. And Facebook — squeezed by political and public backlash on issues ranging from content moderation to the future of cash — felt compelled to succumb to burdensome terms that render the government a partner in future product development and expose senior officers to personal responsibility. Moreover, Facebook’s legal troubles are hardly over, with a dozen privacy investigations brewing in Dublin and antitrust regulators from Washington to Brussels to Bonn circling the company ominously.
Final score: 0 to 0.
Hence, perhaps as a sign of a good agreement, nobody won, and nobody lost. At least pending a move from Congress, the stalemate continues.
Why this happened
While not coincidental and carefully scripted by PR experts, the timing of the announcement of the settlement, as former Special Counsel for the Department of Justice Robert Mueller made his dramatic entrance to the Rayburn House Office Building and swore in for his House Judiciary Committee testimony, felt like karma. After all, the FTC enforcement action against Facebook stems from the same facts investigated by Mueller: a foreign power meddling in the U.S. elections, shady ties to the Trump campaign, Russia, Aleksandr Kogan, Cambridge Analytica. Take away the elections drama, and to a privacy professional, the Facebook case seems almost mundane. Frontpage headlines in The New York Times all of a sudden discuss application programming interfaces and apps’ access to personal data.
An app developer accessing data about hundreds of thousands of users and sharing it with a long list of third parties? Welcome to the digital economy. Individuals’ location and browsing habits put into the stream of commerce for real-time bidders to commission on data exchanges? What’s new? Have a look at the LUMAscape. Digital platforms relying on standard contracts to propagate liability to remote vendors and customers with little if any accountability or control? When have you last looked at EU model clauses, which despite almost spawning a trans-Atlantic trade war, are seldom read, never mind enforced?
Seen this way, it is clear why both parties were strongly motivated to cut their losses and move on. Absent a federal privacy law, the FTC’s enforcement authority against practices that are ubiquitous in the market is brittle. Taken to court, the Facebook case could wither and spin off course at so many turns and junctures, it was better to keep the litigation vehicle parked. Luckily for the agency, Facebook itself had little appetite for litigation, discovery and painful depositions. After a couple of trips to Washington, Facebook CEO Mark Zuckerberg no doubt prefers to bask in the California sun and continue appearing before engineers and developers, instead of politicians and legal eagles. Who would blame him?
What will change
Assessed on its merits, the Facebook settlement provides excellent precedent for future regulation. To be sure, it isn’t law. Indeed, it isn’t even jurisprudence — like previous respondents, Facebook didn’t even admit the alleged facts. But, as Professors Daniel Solove and Woodrow Hartzog observed, FTC cases build up toward a common law of sorts, since U.S. government action cannot be capricious or arbitrary. This means that the sky-high penalty agreed to by Facebook — $5 billion — will become a guidepost in future cases. Earlier this week, the FTC imposed a stellar fine in a data security case, $570 million against Equifax. Out: EU General Data Protection Regulation 4% of annual global turnover. In: FTC 9% of Facebook's 2018 revenue. And while we’re unlikely to see another $5 billion privacy penalty any time soon, the FTC has undoubtedly raised the bar for future cases.
More importantly, the governance mechanisms set forth by the parties resonate.
Appointing a standing privacy committee in the board of directors comprised entirely of outside directors with privacy literacy is a major structural shift. Until recently, a chief privacy officer who wanted to talk to the board had to politely ask for a meeting with the general counsel who would consider it among a dozen other regulatory issues. Periodic personal certifications of compliance by the CEO and CPO, which can and will be propagated to lower-ranking managers, are a game-changer in terms of individual responsibility, liability and accountability. Few things give a senior officer pause like having to attest to the company’s compliance under threat of civil and criminal penalties. FTC involvement in risk assessments for new products and services will provide the regulator with enhanced leverage over companies’ data practices. Training the entire workforce on privacy has already been embraced by forward-looking companies and should become a market best practice.
If these changes appear as standard requirements under future FTC enforcement actions, privacy will be better for the Facebook case.
The future
In all, we should take this regulatory storm with a grain of salt. Twenty years after the U.S. government nearly broke it up in an antitrust action, Microsoft today is the most valuable company in the world, with a market cap of more than $1 trillion. Its path to this new dominance ebbed and flowed and was driven by technological and market developments, most prominently the rise of the cloud, more than by regulatory action or inaction. Where will Facebook be in 20 years? Only a fool would venture to guess. But the answer is likely closer linked to the uptake and performance of Oculus and Libra than to any law or regulation.
Photo by Randy Fath on Unsplash