The FTC on Wednesday officially unveiled its $5 billion data privacy settlement with Facebook — adding to the outrage of Democratic lawmakers and regulators who called the provisions far too mild to hold the social media giant accountable or deter future misdeeds.
In addition to the fine — by far the largest privacy-related settlement the FTC has ever won from a company — the agreement calls for Facebook to establish an internal privacy oversight committee, according to the agency, “removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy,” the FTC said in a statement Wednesday that came just as special prosecutor Robert Mueller’s long-awaited testimony in Congress was commanding people’s attention throughout Washington.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” said FTC Chairman Joe Simons when announcing the settlement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
The settlement, though, does not hold Facebook executives, including CEO Mark Zuckerberg, personally liable for privacy violations at the company. (The extent of Zuckerberg’s personal exposure under the settlement is a requirement that he certify to the FTC on a quarterly basis that the company is carrying out a privacy program for assessing and disclosing privacy risks.) And the $5 billion fine is far lower than the sum that agency employees had initially discussed seeking to collect from Facebook — a figure that could have been greater than $30 billion, according to a House Judiciary Committee aide briefed on the negotiations.
FTC officials “had been discussing a much more substantial fine, so I’m very disappointed” with the $5 billion figure, House antitrust subcommittee chairman David Cicilline (D-R.I.) told POLITICO in an interview Tuesday.
Wednesday’s FTC announcement confirmed that the two commission’s two Democratic members, who favored stiff punishment for Facebook, had voted no when its five-person board approved the deal behind closed doors earlier in July.
Democrat Rohit Chopra explained Wednesday that he voted against the deal in part because of its treatment of Facebook’s top officials.
“It doesn’t fix the incentives causing these repeat privacy abuses. It doesn’t stop $FB from engaging in surveillance or integrating platforms. There are no restrictions on data harvesting tactics — just paperwork,” Chopra said on Twitter. “Mark Zuckerberg, Sheryl Sandberg, and other executives get blanket immunity for their role in the violations. This is wrong and sets a terrible precedent. The law doesn’t give them a special exemption.”
And the commission’s other Democrat, Rebecca Slaughter, said in a statement, “I believe we should have initiated litigation against Facebook and its CEO Mark Zuckerberg. The Commission would better serve the public interest and be more likely to effectively change Facebook by fighting for the right outcome in a public court of law.”
The FTC case, inspired by Facebook’s involvement in last year’s Cambridge Analytica data scandal, was widely viewed as a test for the agency and its Trump-nominated chairman, Joe Simons, on their ability to hold tech companies accountable for their privacy practices. But early rumblings about the outlines of the settlement in mid-July prompted Facebook’s stock price to jump — a sign that investors believe the company had escaped serious harm — and brought criticism from lawmakers of both parties.
Under the settlement, which binds the company for 20 years, Facebook agreed to restrictions on specific data-handling practices. The company, for example, may not use phone numbers collected from users for security reasons to advertise to them. And it must both make plain how it is using facial recognition technologies in its products and ensure that user passwords are encrypted.
Facebook, for its part, said the deal would reform how the company handles user privacy — while also making clear that it’s being held to a higher standard than other U.S. corporations.
Facebook general counsel Colin Stretch said in a statement, “The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company.” Added Stretch, “The accountability required by this agreement surpasses current US law and we hope will be a model for the industry.”
But critics who believe the agency failed its test to make a tech giant answer for privacy failures may have to turn to Congress as their best hope for doing what they believe the Trump administration won’t.
“This fig leaf deal releases Facebook without requiring any real privacy protections — no restraints on future data use, no accountability for top executives, nothing more than chump change financial fines,” Sen. Richard Blumenthal (D-Conn.) said in a statement. “This tap on the wrist, not even a slap, makes Congressional action all the more urgent to set strong privacy rules and enforce them vigorously.”
The FTC case was provoked by last year’s revelations that Cambridge Analytica, a now-defunct political consulting firm that had worked for President Donald Trump’s 2016 campaign, gained improper access to information on tens of millions of Facebook users.
The scandal prompted additional federal action announced in tandem with the FTC’s settlement Wednesday. The agency also said it’s suing Cambridge Analytica after the firm, which is no longer in operation and filed for bankruptcy last year, didn’t settle allegations that it engaged in false or misleading behavior about its actions and lied about complying with the EU-U.S. privacy shield agreement, a legal safe harbor for transatlantic data transfers. In announcing the lawsuit, the FTC said further that it did settle with two central figures in the scandal — former Cambridge Analytica CEO Alexander Nix and app developer Aleksandr Kogan — who agreed to accept restrictions on future business dealings and delete and destroy any personal data collected.
Separately, the Securities and Exchange Commission announced Wednesday that Facebook will pay $100 million to resolve charges that it withheld information about the Cambridge Analytica flap from shareholders. The company for more than two years failed to properly disclose that Cambridge Analytica had compromised Facebook user data, the SEC had alleged.
The FTC action against Cambridge Analytica drew unanimous support from the commission, throwing into sharper relief the partisan split on the larger move against Facebook itself. That divide echoes a broader dynamic of Washington in the Trump era, in which members of both parties have castigated abuses by the tech industry but Democrats accuse Republicans of taking actions that only further empower the moneyed giants of Silicon Valley. The president has pilloried the tech industry time and again, accusing Amazon of skimping on its taxes and ripping off the U.S. Postal Services, and alleging that Facebook, Twitter and Google censors conservatives. Yet none of the president’s critiques have resulted in action, and the industry has ultimately prospered under the administration’s 2017 tax overhaul.
And tech has spent recent years amassing an army of allies to try and ensure that its Washington fortunes remain rosy despite criticism from both sides of the aisle. Companies like Facebook, Google and Amazon have spent record sums bankrolling lobbyists, trade associations and think tanks with influence across the political spectrum — with Facebook and Amazon each spending more than $4 million on federal lobbying alone during the quarter that ended on June 30.
Some industry critics fear U.S. regulators remain outmatched by Silicon Valley’s deep pockets and technological savvy. Facebook alone is worth a half-trillion dollars and has nearly 30 employees for every one of the FTC’s.
Still, the FTC action could give new momentum to the efforts of lawmakers eager to check the power of big tech companies.
Members of both parties routinely condemn the data-collection practices of the big internet firms, and bipartisan negotiations are underway in Congress to develop a national data protection law. Despite early optimism on both sides, those talks have dragged on without results as partisan sticking points have emerged. In particular, many Democrats want a law to let Americans sue corporations over privacy failures, and they oppose any federal measure that would weaken privacy rules in California and other states.
The settlement, however, could help lawmakers break through their apparent impasse, giving Democrats — and the handful of GOP critics of the settlement, such as Sens. Josh Hawley of Missouri and Marsha Blackburn of Tennessee — an even greater sense of urgency behind the need to get firm privacy rules on the books.
For now, the biggest privacy gauntlet that U.S. tech firms face is in Europe, where a sweeping privacy law enacted last year gives regulators the authority to impose multibillion-dollar fines over data violations. European regulators have faced accusations of failing to wield that power aggressively, but the law opens an additional dimension to the scores of EU investigations and massive fines that Silicon Valley firms have faced over issues like antitrust.
Trump has shown some signs of favoring a European-style approach. Asked in a June CNBC interview about the market power of U.S. tech giants, the president suggested following Europe’s lead.
“They get all this money,” he said. “Well, we should be doing — they’re our companies. So they’re actually attacking our companies. But we should be doing what they’re doing.”
John Hendel and Zachary Warmbrodt contributed to this report.
This article was originally published by Politico on July 24, 2019. Reprinted with permission.
About the Author: Nancy Scola is a senior technology reporter for POLITICO Pro. For more than a decade, Scola has covered the intersections of technology, politics, and public policy for a wide variety of outlets. She has served as a tech policy reporter for the Washington Post, a contributing writer at Next City, and a tech and politics correspondent for the Atlantic. As a freelance writer, she has contributed to the Atlantic, Washingtonian, Reuters, and many other publications.
Scola grew up in northern New Jersey and is a graduate of both the George Washington University and Boston University, with degrees in anthropology from each. She lives in Capitol Hill.
About the Author: Steven Overly covers technology policy and politics for POLITICO with a special focus on the industry’s effort to influence decisions in Washington. He previously spent seven years as a reporter and editor at The Washington Post. Steven holds a degree in journalism from the University of Maryland, College Park, and a master’s degree from Columbia University, where he studied as a Knight-Bagehot Fellow in Economics and Business Journalism. A native of the Washington metro region, Steven currently resides in the District.