On July 24, 2019, Facebook was fined $5 billion in the United States by the Federal Trade Commission (FTC) – the largest to date for any company accused of violating consumers’ data privacy. Facebook must also establish an independent privacy committee to improve their data privacy standards and reduce the possibility of future violations.

The FTC’s inquiry into Facebook’s data handling started in March 2018 after it was revealed that users’ personal data was illegally harvested from an online personality quiz. This data was then sold to Cambridge Analytica, a data analytics firm, without the users’ knowledge.

Through the app that collected the data of those taking the quiz, Cambridge Analytica was able to access 87 million accounts. It is believed that the researchers then used the information to target users with political advertising during the 2016 US presidential election and possibly the UK Brexit referendum.

The Trump campaign hired Cambridge Analytica to run operations during that election.  Through the information gathered from Facebook users, Cambridge Analytica was able to advise the campaign on how to identify voters for advertisement purposes, strategic insight on improving communication with voters and where to hold rallies.

In issuing this settlement fine, the FTC also held Facebook responsible for violating policies against deceptive practices, such as tricking customers who used its facial recognition tool and not informing them that phone numbers collected to make user accounts more secure (known as two-factor authentication) would be used to sell ads.

The three supporting FTC commissioners stated that “[t]he Order imposes a privacy regime that includes a new corporate governance structure, with corporate and individual accountability and more rigorous compliance monitoring.”

Fines and judgments in other jurisdictions

The US Securities and Exchange Commission (SEC) also accused Facebook of misleading customers regarding their personal data handling. As a result, Facebook is to pay a further $100 million to settle these claims.

The US authorities are not the only ones to impose fines on Facebook. In October 2018, the Information Commissioner’s Office in the UK also fined the company £500,000 for its mishandling of customer data in its dealings with Cambridge Analytica. The fine was the maximum penalty that the Commission could impose under the existing laws at the time of the contravention. The Information Commissioner, Elizabeth Denham noted that “[t]he fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

In addition to the US and the UK, Facebook has faced scrutiny in Germany. In February 2019, its independent competition authority, the Federal Cartel Office (FCO) ordered Facebook to substantially restrict how it collects and combines personal data from its customers. Specifically, the FCO held that Facebook may use its services – including Instagram and WhatsApp – to collect personal data. However, it cannot assign that data to a Facebook account unless the customer gives voluntary consent. Similarly, the company cannot collect data form third party websites and assign them to a Facebook user account unless the customer gives voluntary consent. In other words, Facebook cannot combine data collected from different social media services to formulate a complete picture of a given customer unless it has voluntary consent. This decision is unique because it blends antitrust and data protection laws, which could be significant for future data gathering practices in big data business.

What next?

As Facebook’s legal saga in multiple jurisdiction shows, personal data protection has become a priority in consumer protection. Companies with data-driven business models should consider having a careful review and get regulatory advice on their data collection practices, safeguarding compliance with the data protection laws in the jurisdictions where they operate. Depending on the size of their operation, companies are advised to implement data protection audits, develop appropriate data protection training and either appoint a Data Protection Officer (DPO) or consider outsourcing these services to ensure they comply with data privacy laws and avoid hefty penalties.