The US Federal Trade Commission issues $5bn fine to Facebook and demands significant conduct changes
31 July 2019
The fine, which is the highest ever imposed in the data privacy sphere, accounts for approximately 9 % of Facebook’s 2018 revenue. Even more significantly, however, the conduct order requires Facebook to change the way they operate.
The order from the Federal Trade Commission (‘FTC’) who is, among other things, the US consumer privacy watchdog, comes in the wake of significant ‘notices of intent’ to fine British Airways (£183m) and Marriott (£99m) by the UK’s Information Commissioner’s Office although those fines pale in comparison to the FTC order in terms of value. The FTC decision may, however, be a sign of things to come across the EU under the GDPR fines regime (which involves fines of up to €20 million, or 4% of total worldwide annual turnover, whichever is higher, for GDPR breaches.)
The fine has been imposed for Facebook’s alleged violation of a 2012 FTC order by ‘deceiving users about their ability to control the privacy of their personal information’.
The fine was not unexpected as Facebook earlier this year set aside several billion dollars to cover it. Facebook has consented to the order (which is essentially a settlement between Facebook and the FTC) and must pay the fine within 7 days.
Along with the fine, the FTC has ordered Facebook to take a number of substantial and onerous measures. For example, Facebook must establish an independent privacy committee (independent of Facebook’s board of directors), members of which can only be removed by a supermajority of the Facebook board. In addition, and along with a large number of other privacy requirements, Facebook must have greater oversight of third-party apps and “must establish, implement, and maintain a comprehensive data security program.” This means that all new products and services developed must be reviewed for privacy compliance before implementation. Further, designated compliance offers must carry out privacy reviews on a quarterly basis and submit the reviews for assessment by the CEO and an independent assessor. Facebook must also cease to work with third-party app developers if they fail to adhere to Facebook policies or do not have a justifiable need for the data they seek to collect or use.
Facebook CEO, Mark Zuckerberg, said in a Facebook post following the announcement that “we're going to make some major structural changes to how we build products and run this company”.