Fine against Facebook: How the American FTC transformed itself into “super CNIL”

Article written in partnership with The Conversation
Winston Maxwell, Télécom Paris – Institut Mines-Télécom

[divider style=”normal” top=”20″ bottom=”20″]

[dropcap]T[/dropcap]he US consumer protection regulator has issued a record $5 billion fine to Facebook for personal data violations. This fine is by far the largest ever issued for a personal data violation. Despite some members of the US Congress saying that this is not enough, the sanction has allowed the FTC to become the most powerful personal data protection regulator in the world. And yet, the USA does not have a general data protection law.

To transform itself into a “super CNIL”, the American FTC relied on a 1914 text on consumer protection that forbids any unfair or deceptive practices in business. France has a similar law in its Consumer Code. In the USA, there is no equivalent to CNIL on a federal level. Therefore, the FTC have taken this role.

It was not easy for the FTC to transform a general text on consumer protection into a law on personal data protection. The organization faced two obstacles. Firstly, they had to create a legal doctrine that was clear enough for businesses to understand what constitutes an unfair and deceptive practice in terms of personal data. Then, they had to find a way to impose financial sanctions, since the 1914 FTC act did not include any.

Proceedings against Facebook

A Facebook office. Earthworm/Flickr, CC BY-NC-SA

To clearly define a deceptive personal data practice, the FTC created a legal doctrine that punishes any business that “fails to keep their promises” in terms of personal data. The FTC had started a first lawsuit against Facebook in 2011 accusing them of deceptive practices due to the discrepancy between what Facebook told consumers and how the company acted. To spot a deceptive practice, the FTC will examine each sentence of a company’s privacy policy to identify a promise, even an implied promise, that is not being kept.

An unfair practice is more difficult to prove, which explains why the FTC prefer to use the term ‘deceptive’ rather than unfair. The FTC considers an unfair practice to be any practice that would be both surprising and not easily avoidable for the average consumer.

The FTC Act does not allow the FTC to directly impose a financial penalty. To do this, they have to ask the US Department of Justice to file a lawsuit. To work around this issue, the FTC encourages settlement agreements. The FTC Act allows the regulator to directly impose sanctions in the event of a breach of these agreements. The most important thing for the FTC is to get an agreement signed at the time of the company’s first violation. This means that in the case of a second violation, the FTC is in a position of strength. The Facebook incident follows this pattern. Facebook signed a settlement agreement with the FTC in 2012. The FTC have now found that Facebook violated this agreement by sharing personal data with Cambridge Analytica. The violation of the agreement made in 2012 allows the FTC to hit back strongly and negotiate a new agreement that will last 20 years, this time with a $5 billion fine.

Settlement agreements

If settlement agreements allow the FTC to increase its powers, why do companies sign them? Companies put themselves in a weaker position by signing settlement agreements and the contract prepares the FTC to make these companies more vulnerable in the case of a second violation.  However, most companies prefer to negotiate an agreement with the FTC instead of going to trial. As well as the large cost of a lawsuit and the negative effect it has on a company’s image, if a company loses a lawsuit to the US government, the door is then opened for other parties to sue them, in particular with consumer class action lawsuits. Companies fear the snowball effect. In addition, a settlement agreement with the FTC does not set a precedent since the company does not admit that they are guilty in the agreement. This means that the company can claim their innocence in other lawsuits.

As well as increasing the FTC’s sanctioning powers, the settlement agreements allow them to establish detailed requirements for personal data protection. A settlement agreement with the FTC can become a mini-GDPR and binds the company for 20 years, which is the usual duration for these agreements.

The new agreement states that Facebook must gain the explicit consent of the user before they use their facial recognition data for any purpose, or before they share their mobile phone number with a third party. The 2012 agreement already required Facebook to carry out impact assessments and this obligation was reinforced in the 2019 agreement. The new agreement requires Facebook to put in place a committee of independent administrators who will manage the implementation of the agreement within the company. As well as this, Facebook’s status will have to be changed to ensure that Mark Zuckerberg is not the sole person who can dismiss those in charge of managing the obligations. The new agreement requires Mark Zuckerberg to sign a personal declaration stating that the company will comply with the commitments made in the agreement. A false declaration would put Mr Zuckerberg at risk of criminal penalties, including imprisonment. Most importantly, the agreements oblige Facebook to document all its risk reduction measures and carry out an audit every two years using an independent auditor.

The 2012 act already included a biannual audit. Following the Cambridge Analytica investigation, the EPIC association was provided a copy of an audit carried out for the 2015-2017 period. The audit did not identify any abnormalities relating to data sharing with Cambridge Analytica and other Facebook business partners. This caused the FTC to question the effectiveness of audits, leading them to strengthen the audit regulations in the new 2019 agreement.

Although the 2012 settlement agreement did not prevent Facebook from crossing the line in the Cambridge Analytica scandal, it did allow the FTC to strongly intervene and sanction this second violation. As well as the $5 billion fine, the new 2019 agreement contains several accountability measures. These measures ensure that the commitments agreed by Facebook are applied at every level of the company and that any violation will be detected quickly. Facebook’s management will not be able to say that they were not made aware and Facebook will have to adhere to these governance commitments for the next 20 years.

In the USA, it is common for companies to negotiate agreements with the government. This process is sometimes criticized as a form of forced negotiation. The $8.9 billion fine against BNP Paribas was a “negotiated” agreement, although whether the negotiation between the French bank and the US government was balanced is questionable. In Europe, there are no settlement agreements for personal data violations, but they are common in competition law.

[divider style=”dotted” top=”20″ bottom=”20″]

Winston Maxwell, Télécom Paris – Institut Mines-Télécom

The original version of this article (in French) was published in The Conversation. Read the original article