Greetings from Brussels!
It’s sweltering here, much like most of western Europe. Belgium is recording its highest ever temperatures since records began in 1833. We may well have to start getting used to these freak heat waves. The temperatures have been intense throughout Europe, making it the hottest June on record.
This week saw another blistering record in the making. The U.S. Federal Trade Commission formally announced a mammoth $5 billion settlement with Facebook, which is the culmination of a years-long investigation into the Cambridge Analytica scandal and other privacy breaches. Pause for a moment here: This is no minor slap on the wrist. This amount is greater than the aggregate total of all privacy-related fines issued to date globally. It dwarfs all previous fines, and for size, it is more than twice the maximum fine permitted under the GDPR, representing about 9% of Facebook’s 2018 revenue.
This landmark decision includes other meaningful obligations. On the one hand, Facebook will be required to conduct a privacy review of every new product or service that it develops, and these reviews must be submitted to the CEO and a third-party assessor every quarter. In short, if third-party developers fail to certify that they are in compliance with Facebook’s platform policies, or fail to justify their need for specific data, Facebook will be obliged to terminate those relationships.
Moreover, the settlement imposes a privacy regime that includes a new corporate governance structure, with accountability and more rigorous compliance monitoring. Facebook will be obliged to create a new board of directors privacy committee, creating greater accountability at the board level. The appointed directors must be independent, with relevant privacy and compliance expertise, protected from removal by company shareholders in their duties. Significantly, the CEO and the “designated compliance officers” must submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. The order also subjects Facebook CEO Mark Zuckerberg and the DCOs to civil and criminal liability.
This is an enormous directive handed down by the FTC, and it will undoubtedly send shockwaves through the corporate world. Make no mistake, this will set a precedent on how large organizations need to look at personal data both internally and externally, as they manage and interact with third-parties through their supply chains. Facebook commented Wednesday that “the agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company” adding that “it will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”
There are important lessons here and clear indications in this judgment regarding best practices in the area of accountability in privacy program management. Through this ruling the FTC has clearly raised the bar for privacy compliance, elevating it to a top regulatory concern for companies. The smart company will be taking notice, and in turn, looking to solutions where required.
If you want to comment on this post, you need to login.