Who's Affraid of the Big Bad $5B Wolf?
Last Friday's breaking news story by The Wall Street Journal that the U.S. Federal Trade Commission (FTC) has approved a fine of $5 billion to be imposed on Facebook came as small surprise. After all, Facebook had already warned its shareholders weeks ago to prepare for a penalty of this amount, for violations of its 2011 consent decree with the FTC.
Expectedly, there have been strong reactions from two directions. While some note the fact that this is the largest privacy violation fine ever imposed by the FTC, others argue that $5 billion is a mere drop in the ocean to the cash rich social media giant, and suggesting a failure on the part of the FTC to enforce consumer privacy laws.
As yet, the FTC has not commented, and the fine has not yet been approved by the Department of Justice.
So, is this fine meaningful? And what are the implications for businesses in general?
No doubt this issue will prompt some lively discussions in the board room concerning operational risk, not to mention potential Congressional hearings on how to scupper state-level privacy laws, in favor of federal privacy regulation.
Former technologist at the FTC, Neil Chilson, said that while we still don't know everything about the legal theory in the case, the fine is significant. He continued:
"the FTC got the largest dollar amount ever in privacy settlement using its general [not privacy-specific] consumer protection authority in a case where no consumer lost a dime. That’s an aggressive approach, potentially beyond what Congress has empowered the agency to do. But it also shows that the FTC has powerful tools to protect consumers.”
Attorney Janis Kestenbaum, from international law firm Perkins Coie, said the fine signals the FTC today is "highly focused on privacy and data security, and unafraid to push the envelope when using its limited authority."
Among the many who strongly disagreed, was Matthew Stoller, a fellow at the Open Markets Institute, who said:
"The fine is a joke, which is why Facebook's trade associations such as NetChoice are lobbying for it, ...Who lobbies for their own fine unless it's not actually a penalty? They want a good headline. So they want to make the number seem like a record fine. When it isn't. The FTC wants you to compare it in absolute size, but that's apples to oranges. If you compare it to Facebook's revenue, it's relatively small."
But, Professor David Vladeck of Georgetown University Law, and former director of the FTC's Bureau of Consumer Protection, said that he thought the fine made perfect sense when you crunch the numbers.
By my calculation, it is over 20% of Facebook's 2018 global profits ...and since only half of Facebook's revenues come from the U.S. [and] the FTC does not enforce U.S. law extra-territoriality, $5 billion is a big bite out of a full year's profits.
Stoller argued that a more appropriate action would have been "forcing changes in the business model that would make a difference."
Vladeck countered that it's hard to express an opinion on a consent decree we haven't seen yet. He wants to see whether the structural remedies imposed by the consent decree include things like tight control over third-party access to personal data; clarity concerning what information consumers consent to be shared, and with whom; and that the FTC has "ample oversight capabilities, including real-time reporting of missteps by the company," such as the Cambridge Analytica incident.
Reportedly, the FTC, which usually prefers to reach a consensus in such cases as this, was split among party lines, with Republicans voting in favor and the Democrats voting against. Speculation around Washington suggests that Democrats Rohit Chopra and Rebecca Kelly Slaughter would like to see such operational changes guaranteed.
Professor David Carroll, of The New School in New York City, sued Cambridge Analytica in an effort to discover what data the consulting firm had on him. Carroll's action prompted the UK's Information Commissioner's Office to open an inquiry into why Cambridge Analytica was ignoring his request, with a view to taking appropriate enforcement action. Carroll said the fine indicates a weakness in the U.S. regulator's ability to do its job in regulating tech behemoths. He added:
The U.S. clearly doesn’t have the tools to regulate Big Tech, ...The Cambridge Analytica scandal illustrates this perfectly. Most Americans have no idea its servers were seized in the U.K. [by the] ICO under criminal warrant, and ultimately [Cambridge Analytica was] criminally convicted for defying the authorities. By contrast, the FTC’s record fine was instantly obliterated as investors surged the market cap beyond the cost of the fine. At least the U.K. had some tools to prosecute data crimes.
Former policy director at the FTC's Office of Technology Research and Investigation, Justin Brookman, submitted that while "$5 billion is a lot of money, it's unclear to have an impact on Facebook's practices in general, absent clear, substantive limitations on what they can do with data."
But Phil Lee, an attorney at Fieldfisher, argued that such comparisons miss the overall bigger picture...
...namely that the FTC has broken new ground issuing a fine of this magnitude, and has created a precedent that it, or other wider international privacy regulators, can issue future fines of a similar scale. No matter how large your revenues, no business will fancy that prospect.
Impact on Federal Privacy Law
Rewind to September 26, 2018, and Senator John Thune (R-S.D.), chairman of the Senate Committee on Commerce, Science, and Transportation, convenes a hearing titled “Examining Safeguards for Consumer Data Privacy”.
Thune opened the proceedings by saying:
Consumers deserve clear answers and standards on data privacy protection, ...This hearing will provide leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation.
Meanwhile, the White House, via the Commerce Department's National Telecommunications and Information Administration, issued a Request for Comment on a national privacy framework. The response deadline was set for Oct. 26. This action came hot on the heels of several industry stakeholder recommendations for a national privacy standard, including from the Internet Association, the Interactive Advertising Bureau, the National Credit Union Association, and the U.S. Chamber of Commerce.
Although representatives from Amazon, Apple, AT&T, Charter Communications, Google, and Twitter all backed federal preemption during the hearing, some subtle differences emerged. Len Cali, Senior Vice President for Global Public Policy at AT&T warned that a federal bill without preemption "would be of little help if it becomes the 51st bill" which companies would need to comply with.
However, Apple differentiated itself on several occasions by calling for a strong federal law. Apple Vice President of Software Technology Bud Tribble said, “it would be helpful to prohibit a patchwork, but it's important for consumers that the bar be high enough to ensure the law is effective.”
Senator Brian Schatz, D-Hawaii, articulated a strong warning during his round of questioning, saying, "I understand not navigating 50 frameworks, but the law should be meaningful. The holy grail is preemption, but I want you to understand that it's got to be meaningful. You won't get anywhere if it's not."
All agreed that the backbone of any meaningful law is enforcement, and that duty should clearly go to the Federal Trade Commission.
Ranking Member Bill Nelson, D-Fla., noting the agency's limited staff and resources, asked members:
Could each of you tell us, will your companies support Congress supplying the FTC with more resources to do its job?
All five industry representatives agreed.
Back to the Present
So here we are, ten months later, on Wednesday July 17, 2019, and the battle between advocates of federal privacy regulation versus supporters of state-level laws continues, with significant amounts of time during Congressional hearings still being spent on deciding who should be responsible for enforcing a federal law.
For now, is seems this responsibility would still likely be given to the FTC, as the country's de-facto privacy cop on the beat.
With divided opinions on whether the Facebook fine is a positive or negative for consumer privacy, could it actually frustrate efforts to push through a federal baseline privacy framework?
According to Janis Kestenbaum, the answer is a definite "no". She said:
The reported settlement says nothing about the need for a federal privacy law. There are many reasons why the United States should have a baseline federal privacy law — no case changes that. But the reported settlement should definitively establish that the FTC is best positioned to serve as the enforcement agency under any new privacy law.
Stoller was clearly on a different page, arguing that the fine prompts the question "Why bother?". He continued:
"There's no need for a federal privacy bill, ...Why would it matter? Privacy enforcers don't enforce the law. Why would they enforce different laws? They don't enforce."
Meanwhile, Brookman believes the controversy over Facebook's fine strengthens the movement toward passing something:
"If the order doesn't do anything to fundamentally rein in Facebook's data practices, then the calls for privacy law will only get stronger. The FTC just doesn't have the power under Section 5 [of the FTC Act] and with its limited enforcement staff to handle Facebook today. If people are outraged that the order doesn't do enough, the only solution is to enact stricter rules and to give the regulators greater authority."
Members on both sides of the house political support this. It's been decades since the FTC's budget was increased, despite numerous requests by the agency for more funding, as well as greater authority, including civil penalty authority. This would enable to issue fines on a first offense basis, rather than after violation of a consent decree.
The Bottom Line
It remains to be seen what operational changes will occur at Facebook - and other offending tech companies - as a result of fines of this magnitude.
Brookman believes there will be changes.
Between this, and [the EU General Data Protection Regulation] and [California Consumer Privacy Act], and serious interest in Congress and other states, companies are going to start to realize the party's over," he said. "The data free-for-all of the last 20 years has to come to an end. And no, accountability programs and risk assessments aren't going to cut it.
Phil Lee, an attorney at law firm Fieldfisher, concurs that the fine will cause a shift. He thinks it will change boardroom conversations about budgetary considerations on privacy and risk.
Rightly or wrongly, many organizations provision their compliance budgets on the basis of enforcement risk, …In a world where your potential risk is in the order of magnitude of a few hundred thousand to low millions of dollars, you get one size of budget. In a world where your potential risk runs to hundreds of millions, even billions, you get a very different size of budget.