By now, amid a flurry of news reports and a #deleteFacebook hashtag, Facebook’s users are keenly aware of data security problems at the social media giant.
For many, despite the hand-wringing of privacy advocates, it may be the first time they have paid any attention to those concerns and the trade-offs inherent in a free service that profits from brokering data.
The incident will likely affect even more online offerings as a chorus of critics demand an end to the self-regulation free-for-all that tech companies have thus far enjoyed in the United States. The big question: What will that regulatory regime look like?
In recent days, Facebook received confirmation from the Federal Trade Commission that the agency is investigating whether the exposure of personal data belonging to an estimated 50 million users is a violation of a 2011 consent decree with the company over privacy failings.
The announcement sent the company’s stock price tumbling and dragged down numerous other tech stocks amid fears that legislators and state officials seek to regulate Facebook in particular, and perhaps social media in general. In a worst-case scenario, assessing a $40,000 fine for each violation of Facebook’s consent decree could, theoretically, amount to the company amassing fines that are counted in trillions of dollars.
It all relates to an international political consultant, Cambridge Analytica. It improperly used the personal data of 50 million Facebook users, without their consent. The company used psychological profiling, made possible by the data, in its well-compensated quest to sway election results around the globe—most notably, on behalf of Donald Trump’s successful 2016 U.S. Presidential bid. Also, in an unrelated discovery, some Facebook users discovered that the company’s Android-based mobile app has logged metadata from every incoming and outgoing phone call and text message.
Facebook Founder and CEO Mark Zuckerberg, who once famously declared that privacy is no longer a “social norm,” has retreated from that sentiment as scrutiny of his company heats up. Amid calls to testify before Congress, Facebook announced that it was simplifying and improving customer privacy settings, allowing more control over what data is, or isn’t shared.
That move, perhaps long overdue, is unlikely to deter a debate over increased regulation.
Speaking at a recent China Development Forum in Beijing, Apple CEO Tim Cook leveraged the Facebook news to call for “well-crafted” regulations to protect the privacy of user data. The Economist, as another example, editorialized in favor of a cross-industry Data Rights Board to supervise the use of consumer data. Others, in growing numbers, are proposing a U.S port of Europe’s General Data Protection Regulation.
The FTC’s new investigation into Facebook’s privacy practices “has the potential to raise the privacy bar for companies, and not only those in the social media space,” says Michael Morgan, a partner at law firm McDermott Will & Emery and a leader of the Firm’s Global Privacy and Cyber-security practice. “The stakes in this investigation are high for Facebook, especially given its business model’s reliance on consumer trust, Facebook’s settlement of an FTC investigation relating to privacy in 2011, and the intense media attention surrounding the FTC’s investigation, the other government investigations and litigation, and the underlying Cambridge Analytica matter in general.”
As it has for many years, the FTC continues to assert its authority to investigate suspected violations of consumers’ privacy expectations, Morgan added. “The privacy community closely tracks the FTC’s enforcement activities since they can highlight regulatory expectations that need to be considered when managing privacy programs.”
For Bart Lazar, a privacy attorney with Seyfarth Shaw in Chicago, Facebook’s woes trigger memories of previous regulatory crackdowns.
He was the lead attorney defending the build-your-own Website company GeoCities in the FTC’s privacy action against the company. GeoCities lost a third of its stock value the day the FTC announced its privacy settlement, but ended up being purchased by Yahoo at a substantial premium the next year.
“If you think that is the only industry, sector, or corporation that is going to cheat on regulations you are sorely mistaken. We have seen, time and time again, that these big tech companies only cry mea culpa when they have been caught.”
Assemblyman Marc Levine
“The GeoCities/FTC enforcement took place in 1997/1998, and not that much has changed in 20 years,” he says. “The issues are really the same. The last decade or so, the focus has been on security as opposed to privacy. The Facebook situation brings to bear some very basic privacy issues, such as the clarity of privacy notices and the importance of serious due diligence with respect to any third party or service provider to whom personal information is disclosed.”
“The U.S. has never had baseline privacy protections, just a hodgepodge of federal and state laws,” Lazar added. “The FTC has made itself out to be the sheriff in the privacy space, but does the FTC enforcing its broad Section 5 authority [against deceptive or abusive practices], without real legal guidance, help consumers and businesses?”
Lazar expects that concerns about consumer data will continue to be amplified. “These companies have a lot of data, and they don’t always have a full understanding of what their own people are doing and what they are knowingly or unknowingly permitting third parties to do with their data,” he says. “The development of new technology brings new opportunities but also new risks.”
“It’s a natural development to have some form of baseline privacy regulation in the U.S. that follows the original OECD guidelines,” Lazar says. “If they are reasonably aligned with the GDPR rules, or just reasonably aligned with the global OECD privacy principals, then ultimately it could be beneficial for everyone, for businesses and consumers alike.”
Since the 1970s, the International Organisation for Economic Co-operation and Development has played an important role in “promoting respect for privacy as a fundamental value and a condition for the free flow of personal data across borders.” It touts the “cornerstone” of these efforts as its Revised Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, released in 2013.
Lazar stresses that companies need to seriously consider the “blocking and tackling of privacy.” They should be “reasonable, clear, and conspicuous notice to individuals, so they reasonably know what is going on with the information collected” and make sure “the promises made to customers are fulfilled.”
Tech companies might also benefit by adapting privacy rules from other sectors, including the “Know Your Customer” demands of the financial world and business associate agreements demanded from healthcare entities by the Health Insurance Portability and Accountability Act of 1996.
A U.S. version of GDPR
On May 25, 2018, the EU’s General Data Protection Regulation will take effect. It replaces the EU Data Protection Directive, enacted in 1995, marking the most sweeping changes to EU data privacy laws in more than 20 years. The result is a harmonized set of rules across the European Union.
The new law has the effect of a global regulation. Whereas only companies physically located in Europe were once found found liable for data privacy violations under the Data Protection Directive, the GDPR, in comparison, makes any company, regardless of geographic location, covered and liable if it offers services to individuals in the European Union or monitors their behaviors.
New requirements include a ramping up of data collection transparency, clear data collection consent, and a “right to be forgotten” that consumers can rely upon to remove collected or posted information. Organizations in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 million (U.S.$25M), whichever is greater.
It took the European Union six years to shepherd GDPR. During that time, similar U.S. efforts came and went.
Starting in 2012, the Obama administration made multiple attempts for a Consumer Privacy Bill of Rights, “a comprehensive blueprint to improve consumers’ privacy protections and ensure that the Internet remains an engine for innovation and economic growth.”
The Consumer Privacy Bill of Rights was intended to provide “a baseline of clear protections for consumers” and greater certainty for businesses. The rights included: giving consumers a right to exercise control over what personal data organizations collect from them and how they use it; a demand for easily understandable information about privacy and security practices; a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data; and a right to secure and responsible handling of personal data.
Consumers would have also had a right to reasonable limits on the personal data that companies collect and retain.
In terms of national legislation, the Open Markets Institute, a group known for its battle against monopolies, has its own list of potential new regulations.
Imposing strict privacy rules on Facebook, perhaps using Europe’s new General Data Protection Regulation as a guide.
Spinning off Facebook’s ad network, eliminating most of the incentive that Facebook now has to amass data and to interfere and discriminate in the provision of information and news.
Reversing the approvals for Facebook purchases of WhatsApp and Instagram and reestablish these as competing social networks.
Prohibiting all future acquisitions by Facebook for at least five years.
Establishing a system to ensure the transparency of all political communications on Facebook, similar to other major communication networks in the U.S.
As if often the case, California is trying to use its clout and prominence to spark a national debate.
Among the pending legislative efforts in the state are a potential ballot initiative that gives customers the right to ask businesses what personal data is being collected about them and how the data is being used. They would be able to opt out of that data collection and sue for damages.
Assemblyman Marc Levine, a Democrat, has been active on the privacy front. Legislation he crafted would create the California Data Protection Authority. Inspired by GDPR it would oversee Californians’ online personal data.
The California Data Protection Authority will be charged with developing online privacy regulations, including:
A prohibition of social media Websites from conducting potentially harmful psychological experiments on its users;
The standardization of the presentation of online user agreements, ensuring users clearly understand permissions given to companies;
The development of methods helping people of California remove their data from the internet and data servers when deleting profiles and content.
“Technology is being used to collect massive amounts of data that is then monetized and weaponized against democratic society and our way of life,” Levine says.
His work on creating a Data Protection Authority started last year and was inspired by the EU’s GDPR. “I was fascinated by the EU’s ability to lead on this,” Levine said. “It has taken six years to get to where they are. Here in the United States, however, we have been completely unable to regulate the most profitable corporate interests in the history of the world … My hope is that the California Data Protection authority can be a model for the entire nation.”
There cannot be a law in Europe “that is flaunted in other jurisdiction,” he added. He points to emission-related laws and regulations for automakers around the world. Nevertheless, Volkswagen was caught cheating by California’s Air Restrictions Board.
“It was because California had its own regulatory body that we were able to catch Volkswagen red handed,” Levine says. “If you think that is the only industry, sector, or corporation that is going to cheat on regulations you are sorely mistaken. We have seen, time and time again, that these big tech companies only cry mea culpa when they have been caught.”
The “double edged sword” Levine faces is that “you want to be a cheerleader for homegrown industries, and protect high-paying jobs.” He is hopeful, however, that “we can have strong consumer protections and still have a strong technology” business base.
“If they can do it in Europe with GDPR, why can’t we do it here in California?” he asks.