Everyone has heard the news over Facebook’s privacy matter, in particular the number of US$5 billion penalty imposed by the Federal Trade Commission (“FTC”). However, what are other important issues further to the penalty?
Below is a bullet point-style summary over the key points that one needs to be aware of. I know you are short of time, so I am shortening your reading (albeit the full-text reading is recommended).
1. What does the Settlement consist of?
1.1. US$5 billion penalty = 9% of FB’s 2018 revenue = 23% of its 2018 profit
1.2. Five channels of compliance hold FB accountable (heavily intervening into FB’s company governance):
(a) – Establish a Board Privacy Committee: consists of independ board members who cannot be removed by less than 2/3 of voting shares (more than those Zuckerberg controls).
(b) and (c) – accountability at the individual level: quarterly and annualy certifications submitted by Zuckerberg and FB’s Designated Compliance Officers (“DOCs”), in their capacities as individuals.
(d) & (e) – independent third-party assessor and FTC monitor.
1.3. Transparency
(a) quarterly privacy review report – (i) prepared by DOCs, (ii) submitted to CEO and 3rd-party assessor (or FTC whn requested), and (iii) DOCs personal certifying that the company has implemented the policy.
(b) incident report – (i) when 500 or over users’ data are compromised; (2) deliver the report to FTC within 30 days; (3) the report steps taken to remidate the issue; (4) continue provide report of progress every 30 days.
(c) 3rd-party assessor’s biennial assessment FB’s privacy program
(d) each quarter, the privacy committee must receive a briefing from FB management; privacy committee must meet assessor, at least quarterly, without FB management’s presence, and then propose remediation afterwards.
2. What is the legal nature of this deal?
It is a civil settlement between FTC (representing United States) and Facebook. It is NOT an administrative fine. The outcome of the settlement is a “Stipulated Order for Civil Penalty, Monetary Judgment, and Injunctive Relief (“Stipulated Order”)“. Also see Plaintiff’s Consent Mothion for Entry of Stipulated Order, submitted to the court (D.C. District Court) on July 24, 2019.
According to FTC’s statement, “[e]ven assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook’s governance structures and business operations as we deem fit.”“As a civil law enforcement agency (and not a regulator), we can only get what we can win in litigation or via hard-fought negotiations.” Statement of Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson In re Facebook, Inc., July 24, 2019.
3. What is the “valid term” for this settlement?
In general, twenty (20) years. See Sections VIII.C. (3rd-party assessment), XIII.B. (compliance reporting) and XIV (recordkeeping) of the Stipulated Order. However, for certain issues, it could be construed to be perpetual.
4. What are the dissenting opinions?
Two of the five FTC Commissioners have, respectively, filed statements dissenting the majority decision of settling with Facebook (here and here). In general, they thought that the settlement wasn’t sufficient to create detterence against FB (note, not the other companies, but in particular for FB!), but have provided an overly broaden release to FB and its management. They also thought that the injunctive reliefs are lacking the specifications over actual data processing (collection, deletion and transparancency). They think that it is time for FTC to bring the case for litigation, so that a law (but not just a contractual obligation) can be formally created and therefore the consumers can be protected thereunder.
5. OK, my comments:
5.1. This is a landmark deal, for sure, in almost every aspect. However, the amount of penalty might be the least important one. More fundamentally, this deal introduced a strong intervention into the traditional company governance, which would hardly be approved by a court in a litigation.
5.2. Impact to future? Yes, but maybe not that big as one may imagine. The deal is so unique that can hardly be referred to in cases where the data controlers are smaller than Facebook or the data users are running a business model different from that of FB. The dissenting views (of hoping to make a law in litigation) are a little bit idealistic because even if this case ended with a court decision on merit, lawyers would find many ways to distinct it from later cases.
5.3. More to come…