TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

United States Privacy Digest | Notes from the IAPP Editorial Director, July 26, 2019 Related reading: A view from DC: Should ChatGPT slow down?


Greetings from Portsmouth, NH!

What a week for privacy enforcement here in the U.S. In a "normal" week, a Federal Trade Commission fine potentially totaling $700 million would easily have been the leading privacy development for the entire year. Next to that, a Securities & Exchange Commission fine of Facebook for $100 million would also be a ground-breaking news story. 

But not this week. Those were both overshadowed by another major development. 

After what seems like a slow bleed of news leaks and rumors of an impending enforcement action, the FTC finally announced its settlement with Facebook for alleged violations of its 2012 consent order. And yes, the rumors were true: The fine is $5 billion. No doubt this is a massive fine totaling 9% of Facebook's 2018 revenue and 23% of its 2018 profit. The fine is so big, in fact, that the IAPP Westin Research Center found that it is more than twice the approximated cumulative total of all other major global privacy and data security fines put together. Check out our infographic to visualize these immense numbers. 

Unsurprisingly, there is not agreement on whether the fine or settlement was enough, even among the commissioners. Democratic FTC Commissioners Rohit Chopra and Rebecca Slaughter both voted against the settlement and each offered their dissenting opinions. Chopra said "the Commissioners cut off the inquiry too early" and that the "fine print ... gives Facebook a lot to celebrate, particularly when it comes to blanket immunity for unspecified violations by Facebook and its executives." He added, "When companies can violate the law, pay big penalties, and still turn a profit while keeping their business model intact, enforcement agencies cannot claim victory." Slaughter was a bit more tempered in her dissent, but clearly wanted the agency to litigate a more robust settlement, noting that she did "not share my colleagues' confidence that the order or the monetary penalty will effectively deter Facebook from engaging in future law violations, and thus I fear it leaves the American public vulnerable." 

IAPP Chief Knowledge Officer Omer Tene assessed the "winners and losers" of the settlement, noting that it's really a stalemate at this point. "In all," he wrote, "we should take this regulatory storm with a grain of salt." Microsoft faced antitrust action 20 years ago but is now the most valuable company in the world. "Its path to dominance ebbed and flowed and was driven by technological and market developments ... more than by regulatory action or inaction." 

Though the FTC's settlement doesn't change Facebook's business model, it has undoubtedly elevated privacy and data security to the board of directors level.

And not only in the Facebook case. Monday's settlement with Equifax — historic in its own right — requires Equifax to obtain annual certifications from its board of directors confirming that the company is complying with the order and to ensure service providers accessing personal information stored by Equifax also implement "adequate safeguards to protect such data." Facebook's requirements are even more stringent. The order establishes an independent privacy committee of Facebook's board of directors whose members must be appointed by an independent nominating committee and can only be fired by a supermajority of Facebook board directors. It even places civil and criminal liability on individuals if any quarterly and annual compliance certifications are falsified. 

In both cases, too, the FTC will be able to appoint and dismiss required third-party assessors of each company's obligations. 

Interestingly, during the FTC press conference on the Facebook settlement, Commissioner Noah Phillips said, "This is Sarbanes Oxley for privacy." Sure, it's not a federal law like SOX is, but maybe we're getting close to a privacy version of SOX in the near future. 

True, both Equifax and especially Facebook have unique business models, but the FTC is now looking at company boards of directors and individual liability in privacy and data security cases. If that doesn't get the c-suite's attention, I'm not sure what will. 


If you want to comment on this post, you need to login.