A few days ago we witnessed what we have always asked ourselves: What is a paradigm shift ?, since the civil fine of $ 5 billion of the FTC against Facebook for violations of a previous order of the FTC of the year 2012 is a historical record , not only implies the payment of it, Facebook must implement changes in its privacy practices, its corporate structure and the role of CEO Mark Zuckerberg that has a seismic reach.
The $ 5,000 million fine against Facebook is the largest imposed on a company for violating consumer privacy and is almost 20 times greater than the largest data security or privacy fine ever imposed worldwide. It is one of the greatest penalties ever assessed by the United States government for any violation.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumer options,” said FTC President Joe Simons. “The magnitude of the $ 5 billion fine and the sweeping behavior relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change the entire Facebook privacy culture to decrease the likelihood of continued violations. “The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
“The Department of Justice is committed to protecting the privacy of consumer data and ensuring that social media companies such as Facebook do not fool people about the use of their personal information,” said Deputy Attorney General Jody Hunt of the Civil Division of the Department of Justice. “The historical conditions of penalty and compliance with this agreement will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.”
More than 185 million people in the United States and Canada use Facebook daily. Facebook monetizes user information through targeted advertising, which generated most of the company’s revenue of $ 55.8 billion in 2018. To encourage users to share information on its platform, Facebook promises users that they can Control the privacy of your information through Facebook’s privacy settings.
After a one-year investigation by the FTC, the Justice Department will file a complaint on behalf of the Commission alleging that Facebook repeatedly used misleading information and settings to undermine user privacy preferences in violation of its order of 2012 of the FTC. These tactics allowed the company to share users’ personal information with third-party applications that were downloaded by the user’s “friends” of Facebook. The FTC alleges that many users did not know that Facebook was sharing such information and, therefore, did not take the necessary measures to opt out.
In addition, the FTC alleges that Facebook took inappropriate measures to deal with applications that it knew were violating its platform policies.
Remember, why the FTC sanctioned Facebook in 2012?
In 2012, the FTC accused Facebook of eight separate violations related to privacy, including the claim that the company made misleading claims about the ability of consumers to control the privacy of their personal data. A specific account claimed that Facebook allowed users to choose settings that supposedly limited access to their information only to “friends” without adequate revelations that other settings allowed sharing that same information with application developers using those friends.
To resolve that case, Facebook accepted an order that, among other things: 1) prohibited Facebook from making false statements about the privacy or security of consumer information, 2) prohibited Facebook from submitting false statements to the extent that it shares data personal, and 3) required Facebook to implement a reasonable privacy program.
According to the FTC, Facebook disobeyed that order in multiple ways, and today’s agreement makes them responsible for putting the benefits above their privacy promises.
What changes will the new sanction bring?
To prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order reviews the way the company makes privacy decisions by increasing transparency in decision making and holding Facebook accountable. through overlapping compliance channels.
The order creates greater responsibility at the board of directors level. It establishes an independent privacy committee of the Facebook board of directors, eliminating unrestricted control of Facebook CEO Mark Zuckerberg over decisions that affect user privacy. The members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be dismissed by a majority majority of the Facebook board.
Order also improves accountability at the individual level. Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and may only be removed by that committee, not the Facebook CEO or Facebook employees. Facebook CEO Mark Zuckerberg and the designated compliance officers must independently submit to the FTC the quarterly certifications that the company complies with the privacy program required by the order, as well as an annual certification that the company complies In general with the order. Any false certification will subject them to individual civil and criminal penalties.
The order also strengthens Facebook’s external supervision. The order improves the ability of the external independent advisor to assess the effectiveness of Facebook’s privacy program and identify any gaps. The biennial evaluations of the Facebook privacy program evaluator should be based on the data collection, sampling and independent evaluations of the evaluator, and should not be based primarily on statements or testimonials from the Facebook administration. The order prohibits the company from making false statements to the advisor, which can be approved or eliminated by the FTC. It is important to note that the independent advisor must report directly to the committee of the new privacy committee quarterly. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.
As part of the privacy program required by Facebook’s request, which covers WhatsApp and Instagram, Facebook must review the privacy of each new or modified product, service or practice before its implementation, and document its privacy decisions. user. Designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent advisor, as well as with the FTC at the agency’s request. The order also requires Facebook to document the incidents when the data of 500 or more users have been compromised and their efforts to address the incident, and to deliver this documentation to the Commission and the advisor within 30 days after the discovery of the incident. for de side of the company.
In addition, the order imposes important new privacy requirements, which include the following:
- Facebook should exercise greater supervision over third-party applications, including the termination of application developers who do not certify that they comply with the policies of the Facebook platform or that do not justify their need for specific user data;
- Facebook is prohibited from using the telephone numbers obtained to enable a security feature (for example, two-factor authentication) for advertising;
- Facebook must provide clear and noticeable notice of its use of facial recognition technology and obtain the express and express consent of the user before any use that substantially exceeds its prior disclosure to users;
- Facebook must establish, implement and maintain a comprehensive data security program;
- Facebook must encrypt user passwords and scan regularly to detect if passwords are stored in plain text;
- Facebook is prohibited from requesting email passwords to other services when consumers sign up to receive their services.