Ever since news broke that Facebook told its shareholders to prepare for a $5 billion fine from the U.S. Federal Trade Commission over violations of its 2011 consent decree with the agency, the Twitterverse spun into varied but equally strong reactions on two sides. There are those who cite it's the highest privacy enforcement fine in the FTC's history, and that ain't nothing. And there are those who say $5 billion is a drop in the bucket to a company as rich as Facebook and therefore indicates a failure on the FTC's part to enforce consumer privacy. 

The details of the fine are still unknown. The Wall Street Journal broke the story Friday, but the FTC has yet to comment, and the fine still needs approval from the Department of Justice. 

While there's merit in debating whether the fine is meaningful, a looming and larger question might be what the implications are for companies more broadly and how this might impact discussions in both boardrooms on operational risk, as well as at congressional hearings on how to regulate privacy federally. 

ADVERTISEMENT

Cassie IAPP Leaderboard - AI Checklist-041024-WP

Neil Chilson, former technologist at the FTC and now a fellow at the Charles Koch Institute, said the fine is significant because, while we still don't know everything about the legal theory in the case, the FTC "got the largest dollar amount ever in privacy settlement using its general (not privacy-specific) consumer protection authority in a case where no consumer lost a dime. That’s an aggressive approach, potentially beyond what Congress has empowered the agency to do. But it also shows that the FTC has powerful tools to protect consumers.”

Janis Kestenbaum, an attorney at Perkins Coie and previously a senior legal advisor to former FTC Chairwoman Edith Ramirez, said the fine signals the FTC today is "highly focused on privacy and data security, and unafraid to push the envelope when using its limited authority."

Others vehemently disagree, including Matthew Stoller, a fellow at the Open Markets Institute. 

"The fine is a joke, which is why Facebook's trade associations such as NetChoice are lobbying for it," Stoller said. "Who lobbies for their own fine unless it's not actually a penalty? They want a good headline. So they want to make the number seem like a record fine. When it isn't. The FTC wants you to compare it in absolute size, but that's apples to oranges. If you compare it to Facebook's revenue, it's relatively small." 

However, Georgetown University Law Professor David Vladeck, former director of the FTC's Bureau of Consumer Protection, said he thinks the fine makes sense if you crunch the numbers. 

"By my calculation, it is over 20% of Facebook's 2018 global profits ... and since only half of Facebook's revenues come from the U.S. [and] the FTC does not enforce U.S. law extra-territoriality, 5 billion is a big bite out of a full year's profits." 

Stoller said a more appropriate action would have been "forcing changes in the business model that would make a difference." But Vladeck noted it's hard to opine on a consent decree we haven't seen yet. 

He's interested to see whether the structural remedies imposed by the consent decree include things like tight control over third-party access to data; clarity about what information users consent to be shared, and with whom; and that the agency has "ample oversight capabilities, including real-time reporting of missteps by the company," such as the Cambridge Analytica incident.  

The FTC, which prefers to reach consensus in cases like this, was reportedly split among party lines, 3-2, with the Republicans voting in support and the Democrats voting against. It has been speculated around Washington water coolers, though not confirmed, that Democrats Rohit Chopra and Rebecca Kelly Slaughter wanted to guarantee such operational changes.

David Carroll, a professor at New York City's The New School and who sued Cambridge Analytica in an effort to find out what data it had stored on him — prompting an enforcement action from the U.K. Information Commissioner's Office for ignoring his request — said the fine indicates a weakness in the U.S. regulator's ability to do its job in regulating tech behemoths. 

"The U.S. clearly doesn’t have the tools to regulate Big Tech," Carroll said. "The Cambridge Analytica scandal illustrates this perfectly. Most Americans have no idea its servers were seized in the U.K. [by the] ICO under criminal warrant, and ultimately [Cambridge Analytica was] criminally convicted for defying the authorities. By contrast, the FTC’s record fine was instantly obliterated as investors surged the market cap beyond the cost of the fine. At least the U.K. had some tools to prosecute data crimes."

Justin Brookman, formerly policy director at the FTC's Office of Technology Research and Investigation and now policy director of consumer privacy and technology policy at Consumer Reports, said while "$5 billion is a lot of money, it's unclear to have an impact on Facebook's practices in general, absent clear, substantive limitations on what they can do with data." 

But Phil Lee, an attorney at Fieldfisher, said those kinds of comparisons miss the overall bigger picture, "namely that the FTC has broken new ground issuing a fine of this magnitude, and has created a precedent that it, or other wider international privacy regulators, can issue future fines of a similar scale. No matter how large your revenues, no business will fancy that prospect."

But what does all this mean for talks in the U.S. about a federal privacy law, if anything? A significant part of the conversation in Congressional hearings is who should enforce such a law. For now, that responsibility would fall squarely on the shoulders of the country's de-facto privacy regulator: the FTC. With wildly split reactions over whether the Facebook fine is a win or a loss for privacy, does that complicate the effort to push a baseline privacy law through? 

Kestenbaum says no.

"The reported settlement says nothing about the need for a federal privacy law. There are many reasons why the United States should have a baseline federal privacy law — no case changes that. But the reported settlement should definitively establish that the FTC is best positioned to serve as the enforcement agency under any new privacy law."

Stoller takes a different stance. He said the fine indicates: Why bother? 

"There's no need for a federal privacy bill," he said. "Why would it matter? Privacy enforcers don't enforce the law. Why would they enforce different laws? They don't enforce. "

Brookman, rather, thinks the controversy over the fine strengthens the movement toward passing something.

"If the order doesn't do anything to fundamentally rein in Facebook's data practices, then the calls for privacy law will only get stronger. The FTC just doesn't have the power under Section 5 [of the FTC Act] and with its limited enforcement staff to handle Facebook today. If people are outraged that the order doesn't do enough, the only solution is to enact stricter rules and to give the regulators greater authority."

While there have been calls on both sides of the political aisle to do that, the agency's budget hasn't been increased in decades. The agency has many times asked Congress for both more funding and more authority, including civil penalty authority so it could issue fines on a first offense instead of only after the violation of a consent decree. 

Cameron Kerry, a fellow at the Brookings Institution, said the fine highlights that the FTC needs stronger legal authorities to do its job and protect people’s privacy across the board. That means clear guardrails to address how companies collect, use and share data that would limit behavior like Cambridge Analytica's and authority to levy meaningful penalties in the first instance and not just for repeat offenses.

But to Matt Stoller, it isn't an issue of authority or resources. It's political. 

"No, industry doesn't have the ability to do whatever it wants. But Republican FTC Chairman Joe Simons and his two Republican fellow commissioners simply didn't want to penalize Facebook for violating the law. They just don't want to do their jobs." 

Perhaps more importantly to both U.S. consumers and the companies handling their data is what the fine changes on an operational level. Part of the frustration among those who see the fine as a failure is skepticism that it changes anything operationally at Facebook. At this point, it's only conjecture as to whether that position has merit as the details of the fine have yet to be released. 

Brookman thinks it will.

"Between this, and [the EU General Data Protection Regulation] and [California Consumer Privacy Act], and serious interest in Congress and other states, companies are going to start to realize the party's over," he said. "The data free-for-all of the last 20 years has to come to an end. And no, accountability programs and risk assessments aren't going to cut it."

Lee agrees that the fine indicates there'll be a shift now. He thinks it changes the conversation inside boardrooms over budgetary considerations on privacy and risk.

"Rightly or wrongly, many organizations provision their compliance budgets on the basis of enforcement risk," he said. "In a world where your potential risk is in the order of magnitude of a few hundred thousand to low millions of dollars, you get one size of budget. In a world where your potential risk runs to hundreds of millions, even billions, you get a very different size of budget." 

Photo by Alex Haney on Unsplash