Export Compliance Daily is a Warren News publication.
Zuckerberg Held to Account?

FTC Facing Pressure After Facebook Estimates Privacy Loss

The FTC is under pressure after Facebook estimated it will lose $3 billion-$5 billion as a result of the FTC’s data privacy investigation (see 1904240064), but a fine in the billion-dollar range would be significant, some experts said in recent interviews. Ex-FTC Chief Privacy Officer Marc Groman noted he had estimated a penalty in the $300 million range when news of Cambridge Analytica initially broke.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Although Facebook should be fined an amount in the billions, the dollar value isn’t the key, wrote Center for Digital Democracy Executive Director Jeff Chester. Any amount is meaningless unless the agreement includes robust structural changes for company data practices, he continued. Chester suggested a team of independent experts review and approve data-driven business decisions at Facebook and report to the FTC and Congress. The company didn’t comment.

Future of Privacy Forum CEO Jules Polonetsky, who's to testify before the Senate Commerce Committee on privacy Wednesday (see 1904240023), sided with Groman. Any amount in the billions sends “a strong signal to CEOs and corporate boards,” he said. He said Congress should grant the FTC civil penalty authority. “That makes the threat of fines a reality for all companies, not just those under an FTC order.”

It’s possible Facebook’s strategy was to announce a large number far exceeding the potential agreement, Groman said, so it can claim victory if the total is less. That won’t dictate agency decision-making, he said.

Facebook’s announcement doesn’t necessarily reflect what the settlement will be, a former Consumer Protection Bureau official said, noting it’s an estimation for maximum liability tied to litigation. The company could be preparing for worst-case scenario, which the agency may or may not meet, depending on the strength of the case.

There’s been much discussion about holding CEO Mark Zuckerberg accountable individually for privacy violations. In addition to its 2011 consent decree, the agency could use Section 5 of the FTC Act to hold Zuckerberg or other executives liable. Section 5 dictates that corporate officers can be held liable “if the officer ‘owned, dominated and managed’ the company and if naming the officer individually is necessary for the order to be fully effective in preventing the deceptive practices which the Commission had found to exist.”

It’s “difficult to believe” senior management didn’t have knowledge of illegal acts, based on mounting public evidence in emails and testimony, Groman said. Facebook’s entire business model is based on ad revenue and the processing of personal data, he said. The processing isn’t the activity of a subsidiary or separate business, he noted.

DuckDuckGo CEO Gabriel Weinberg agreed a one-time fine won’t solve the issue. “Here's hoping the FTC penalty mandates structural changes to their privacy practices and not just a -- pick your favorite cost of doing business metaphor -- parking ticket, slap on the wrist, etc.,” he said in a statement.

Facebook’s ad archive application programming interface limits researchers and doesn’t allow bulk data collection needed for proper outside assessment, Mozilla blogged Monday. The API is lacking in that there’s no “information on targeting criteria, so researchers have no way to tell the audience that advertisers are paying to reach,” it said. Mozilla and more than 60 researchers last month published five guidelines they said Facebook’s API should meet. The group determined the platform failed on three.