Ever since news broke that Facebook told its shareholders to prepare for a $5 billion fine from the U.S. Federal Trade Commission over violations of its 2011 consent decree with the agency, the Twitterverse spun into varied but equally strong reactions on two sides. There are those who cite it's the highest privacy enforcement fine in the FTC's history, and that ain't nothing. And there are those who say $5 billion is a drop in the bucket to a company as rich as Facebook and therefore indicates a failure on the FTC's part to enforce consumer privacy.
The details of the fine are still unknown. The Wall Street Journal broke the story Friday, but the FTC has yet to comment, and the fine still needs approval from the Department of Justice.
While there's merit in debating whether the fine is meaningful, a looming and larger question might be what the implications are for companies more broadly and how this might impact discussions in both boardrooms on operational risk, as well as at Congressional hearings on how to regulate privacy federally.
Neil Chilson, former technologist at the FTC and now a fellow at the Charles Koch Institute, said the fine is significant because, while we still don't know everything about the legal theory in the case, the FTC "got the largest dollar amount ever in privacy settlement using its general (not privacy-specific) consumer protection authority in a case where no consumer lost a dime. That’s an aggressive approach, potentially beyond what Congress has empowered the agency to do. But it also shows that the FTC has powerful tools to protect consumers.”
Janis Kestenbaum, an attorney at Perkins Coie and previously a senior legal advisor to former FTC Chairwoman Edith Ramirez, said the fine signals the FTC today is "highly focused on privacy and data security, and unafraid to push the envelope when using its limited authority."
Others vehemently disagree, including Matthew Stoller, a fellow at the Open Markets Institute.
"The fine is a joke, which is why Facebook's trade associations such as NetChoice are lobbying for it," Stoller said. "Who lobbies for their own fine unless it's not actually a penalty? They want a good headline. So they want to make the number seem like a record fine. When it isn't. The FTC wants you to compare it in absolute size, but that's apples to oranges. If you compare it to Facebook's revenue, it's relatively small."
However, Georgetown University Law Professor David Vladeck, former director of the FTC's Bureau of Consumer Protection, said he thinks the fine makes sense if you crunch the numbers.
"By my calculation, it is over 20% of Facebook's 2018 global profits ... and since only half of Facebook's revenues come from the U.S. [and] the FTC does not enforce U.S. law extra-territoriality, 5 billion is a big bite out of a full year's profits."
Stoller said a more appropriate action would have been "forcing changes in the business model that would make a difference." But Vladeck noted it's hard to opine on a consent decree we haven't seen yet.
He's interested to see whether the structural remedies imposed by the consent decree include things like tight control over third-party access to data; clarity about what information users consent to be shared, and with whom; and that the agency has "ample oversight capabilities, including real-time reporting of missteps by the company," such as the Cambridge Analytica incident.
The FTC, which prefers to reach consensus in cases like this, was reportedly split among party lines, 3-2, with the Republicans voting in support and the Democrats voting against. It has been speculated around Washington water coolers, though not confirmed, that Democrats Rohit Chopra and Rebecca Kelly Slaughter wanted to guarantee such operational changes.
David Carroll, a professor at New York City's The New School and who sued Cambridge Analytica in an effort to find out what data it had stored on him — prompting an enforcement action from the U.K. Information Commissioner's Office for ignoring his request — said the fine indicates a weakness in the U.S. regulator's ability to do its job in regulating tech behemoths.
"The U.S. clearly doesn’t have the tools to regulate Big Tech," Carroll said. "The Cambridge Analytica scandal illustrates this perfectly. Most Americans have no idea its servers were seized in the U.K. [by the] ICO under criminal warrant, and ultimately [Cambridge Analytica was] criminally convicted for defying the authorities. By contrast, the FTC’s record fine was instantly obliterated as investors surged the market cap beyond the cost of the fine. At least the U.K. had some tools to prosecute data crimes."
Justin Brookman, formerly policy director at the FTC's Office of Technology Research and Investigation and now policy director of consumer privacy and technology policy at Consumer Reports, said while "$5 billion is a lot of money, it's unclear to have an impact on Facebook's practices in general, absent clear, substantive limitations on what they can do with data."
But Phil Lee, an attorney at Fieldfisher, said those kinds of comparisons miss the overall bigger picture, "namely that the FTC has broken new ground issuing a fine of this magnitude, and has created a precedent that it, or other wider international privacy regulators, can issue future fines of a similar scale. No matter how large your revenues, no business will fancy that prospect."
But what does all this mean for talks in the U.S. about a federal privacy law, if anything? A significant part of the conversation in Congressional hearings is who should enforce such a law. For now, that responsibility would fall squarely on the shoulders of the country's de-facto privacy regulator: the FTC. With wildly split reactions over whether the Facebook fine is a win or a loss for privacy, does that complicate the effort to push a baseline privacy law through?
Kestenbaum says no.
"The reported settlement says nothing about the need for a federal privacy law. There are many reasons why the United States should have a baseline federal privacy law — no case changes that. But the reported settlement should definitively establish that the FTC is best positioned to serve as the enforcement agency under any new privacy law."
If you want to comment on this post, you need to login.