You’ve seen it all over the news in 2018: Facebook. With scandals like data security breaches, fake news, and Senate hearings, Facebook has not escaped bad publicity this year. This blog post will first address the steps Facebook has taken and will have to take to avoid similar scandals in the future. It will then discuss the current data privacy laws in the United States and Europe. Finally, it will examine the implications those laws will have on how Facebook conducts its business. It will also note any changes that data privacy law could take in the near future the possible impact of those changes.
While Facebook has had multiple events that have tarnished its reputation when it comes to data privacy, two events in the past year have especially caused turmoil. The Cambridge Analytica scandal was exposed in March of 2018. ((Emily Stewart, Mark Zuckerberg Said Facebook “Made Mistakes” on the Cambridge Analytica Scandal. He’s Not Apologizing., Vox (Mar. 21, 2018, 4:40 PM), https://www.vox.com/technology/2018/3/21/17148852/mark-zuckerberg-facebook-cambridge-analytica-breach.)) Facebook exposed data on up to 87 million Facebook users to a researcher who worked at Cambridge Analytica, which worked for the Trump campaign. ((Alvin Chang, The Facebook and Cambridge Analytica Scandal, Explained with a Simple Diagram, Vox (May 2, 2018, 3:25 PM), https://www.vox.com/policy-and-politics/2018/3/23/17151916/facebook-cambridge-analytica-trump-diagram.)) The company was able to access the user data through a Facebook app quiz that one of its employees created. ((Id.)) The app collected the data of people who took the quiz but also the data of the Facebook friends of the quiz taker, through a loophole in Facebook’s API. ((Id.))
Facebook had an enormous data breach in September 2018. ((Mike Isaac & Sheera Frenkel, Facebook Security Breach Exposes Accounts of 50 Million Users, N.Y. Times (Sept. 28, 2018), https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html.)) An attack on Facebook’s computer network exposed the personal information of nearly 50 million users, and the breach was the largest in the company’s 14-year history. ((Id.)) The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them. (( Id.)) This was different than the Cambridge Analytica because it was software flaws in Facebook’s systems that allowed hackers to break into user accounts. ((Id.)) Once in, the attackers were potentially able to gain access to apps like Spotify, Instagram, and hundreds of others that give users a way to log into their systems through Facebook. ((Id.))
Not long after the Cambridge Analytica scandal Mark Zuckerberg, Facebook’s Chief Executive Officer, outlined a plan to the public for Facebook to protect user data going forward. ((Sarah Frier, Facebook’s Zuckerberg Outlines Steps to Protect User Data, Bloomberg (Mar. 21, 2018, 3:54 PM), https://www.bloomberg.com/news/articles/2018-03-21/facebook-s-zuckerberg-outlines-steps-to-protect-data-after-leak.)) The company planned to do three basic things, starting with “[i]nvestigat[ing] all large apps that were allowed to get data not just on their own users but on those users’ friends, before Facebook changed its policies in 2014, and ban any developers that don’t agree to an audit.” ((Id.)) The company also agreed to let their users know when they encountered issues. ((Id.)) Part two of the plan was to “[r]emove developer access to data if someone hasn’t used that app in 3 months, and reduce the type of information the app gets when users sign in.” ((Id.)) The last part of the plan was to “work to make sure people understand who has access to their data, showing everyone the top of the News Feed in the next month, and making it easy to revoke permissions.” ((Id.)) Despite the announcement of these planned changes, Facebook suffered large losses in the first full quarter following the Cambridge Analytica scandal. ((Jessica Guynn, Why Facebook Had Its Worst Day Ever (And Yes, Cambridge Analytica Is Partly to Blame), USA Today (July 31, 2018, 11:40 AM), https://www.usatoday.com/story/tech/2018/07/26/why-facebook-just-had-its-worst-day-ever-and-yes-cambridge-analytica-partly-blame/843428002/.)) Further, the changes outlined in March did not prevent the September 2018 breach from occurring. This suggests that the changes were not effective.
Public outcry and sinking stock prices aren’t the only thing driving Facebook to alter the way it protects user data. Data privacy laws all over the world have serious monetary implications. The European Union’s GDPR, or General Data Protection Regulation, introduced in May of 2018, is one of the most stringent. ((Adam Satariano, What the G.D.P.R., Europe’s Tough New Data Law, Means for You, N.Y. Times (May 6, 2018), https://www.nytimes.com/2018/05/06/technology/gdpr-european-privacy-law.html.)) The GDPR sets out not only the obligations of organizations but the rights of individuals who are covered by the GDPR. ((Matt Burgess, What Is GDPR? The Summary Guide to GDPR Compliance, Wired (Oct. 4, 2018), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.)) One of the basic rights set out by the GDPR is the right to “have easier access to the data companies hold about them.” ((Id.)) The GDPR imposes multiple obligations onto companies who collect user data. One of the most relevant to Facebook is the obligation to report the “destruction, loss, alteration, unauthorized disclosure of, or access to” personal data to the country’s data protection regulator if the breach could have a “detrimental impact on those who it is about.” ((Id.)) The Information Commissioner’s Office is the entity responsible for enforcing the GDPR through the issuance of fines as well as conducting criminal investigations. ((Id.)) One part of the GDPR provides that the Information Commissioner’s Office must be notified within 72 hours of an organization becoming aware of a breach and the people whose data it has affected must also be notified. ((Id.)) Other relevant parts of the regulation require “documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place” and to obtain consent from users to process data. ((Id.)) The consent requirement includes that there must be a “positive opt-in.” ((Id.))
The penalties imposed on firms who fail to comply with GDPR aren’t insignificant. Offenses with serious consequences will “result in fines of up to 20 million euros or four percent of a firm’s global turnover (whichever is greater).” ((Id.)) Currently, Facebook is facing the potential for a $1.63 billion fine if the maximum fine is imposed by the European Union. ((Arjun Kharpal, Facebook Could Face Up to $1.6 Billion in Fines over Data Breach as Regulators Eye Formal Probe, CNBC (Oct. 3, 2018, 4:04 AM), https://www.cnbc.com/2018/10/02/facebook-data-breach-social-network-could-face-eu-fine.html.)) Investigations into what went wrong, the amount of people affected, and how Facebook responded are ongoing, and it could be months before any fines are actually imposed. ((Id.)) The threat of enormous fines by the GDPR is already forcing Facebook to make changes when interacting with users in the European Union but these changes aren’t being enacted universally. ((Olivia Solon, How Europe’s ‘Breakthrough’ Privacy Law Takes on Facebook and Google, Guardian (Apr. 19, 2018, 3:01 AM), https://www.theguardian.com/technology/2018/apr/19/gdpr-facebook-google-amazon-data-privacy-regulation.))
In the United States, Facebook isn’t facing any real pressure from regulators to change the way that they are conducting business. ((Id.)) The United States’ federal data privacy laws are less stringent, so Facebook is more able to self-regulate. ((See Todd Shields, Steven T. Dennis & Sarah Frier, Senators Tell Facebook CEO the Days of Self-Regulation May End, Bloomberg (Apr. 11, 2018, 4:00 PM), http://www.bloomberg.com/news/articles/2018-04-11/senators-tell-facebook-ceo-the-days-of-self-regulation-may-end.)) While Mark Zuckerberg claimed that Facebook will enact the same changes for all users that it does for European Union users when it comes to the collection and use of personal data, this may not be the case. ((See Solon, supra note 27.)) When the GDPR went into effect, Facebook worked to move 1.5 billion of the users who would have been governed by the GDPR to different terms of service, essentially making sure they will be governed by more lenient U.S. laws. ((Id.)) While Facebook members not in the United States or Canada used to be governed by terms of service out of Ireland, Facebook made sure to change all non-European Union members to different terms of service. ((David Ingram, Exclusive: Facebook to Put 1.5 Billion Users Out of Reach of New EU Privacy Law, Reuters (Apr. 18, 2018, 8:13 PM), https://www.reuters.com/article/us-facebook-privacy-eu-exclusive/exclusive-facebook-to-put-1-5-billion-users-out-of-reach-of-new-eu-privacy-law-idUSKBN1HQ00P.)) This demonstrates that in actuality, Facebook is avoiding exposure to the strict laws of the GDPR. ((Id.)) While the United States does not have any federal legislation on data privacy that regulates Facebook, states such as California have enacted their own laws regarding the use of data privacy. ((Forbes Technology Council, How Will California’s Consumer Privacy Law Impact the Data Privacy Landscape?, Forbes (Aug. 20, 2018, 9:30 AM), http://www.forbes.com/sites/forbestechcouncil/2018/08/20/how-will-californias-consumer-privacy-law-impact-the-data-privacy-landscape/#48e7f413e922.))
The California Consumer Privacy Act enacted in 2018 has the aim of protecting California’s residents from the threat of data breaches. ((Id.)) It provides rights to consumers to have access and control of their data. ((James Kalyvas et al., California Moves Towards GDPR-like Privacy Protections in the California Consumer Privacy Act of 2018. Foley & Lardner LLP (July 2, 2018), https://www.foley.com/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018-07-02-2018/.)) The law will impose many requirements on businesses that collect user data when it goes into effect January of 2020. ((Dom Nicastro, What Is the California Consumer Privacy Act of 2018 and How Does It Affect Marketers?, CMS Wire (Aug. 28, 2018), ttps://www.cmswire.com/customer-experience/what-is-the-california-consumer-privacy-act-of-2018-and-how-does-it-affect-marketers/.)) The law restricts businesses from requiring waivers of consumer rights in order to use their services. ((See Kalyvas et al., Supra note 36.)) The law is similar to the GDPR in various ways. They both require businesses to be transparent in their use of consumer data. ((Id.)) They also both give consumers the right to access their own personal information and have it be “forgotten” by the business using it. ((Id.)) The California Consumer Privacy Act seems to be less stringent than the GDPR when it comes to restricting businesses. While the GDPR mandates that to agree to the use certain personal data, consumers must opt-in, the California Consumer Protection Act states that consumers will have to opt-out of having their personal data utilized. ((Id.)) California’s consumer data protection law was one of the first to be passed following the enactment of the GDPR, but many other states have been improving their data laws as well. States such as Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, South Dakota, Vermont, and Virginia have all passed legislation in 2018 that aims to reduce the likelihood of users having their data breached or abused. ((Jeewon Kim Serrato et al., US States Pass Data Protection Laws on the Heels of the GDPR, Data Protection Report (July 9, 2018), https://www.dataprotectionreport.com/2018/07/u-s-states-pass-data-protection-laws-on-the-heels-of-the-gdpr/.)) While many states have enacted their own laws regarding data privacy, legislation on a federal level does not seem to be on the horizon.
There is a possibility of privacy data laws being enacted on a federal level due to the recent public outcry. Some companies seem to be in favor of sweeping regulation similar to the GDPR. A U.S. Senate hearing was held with the purpose of discussing privacy law. ((Ben Kochman, Tech Giants Want Uniform Privacy Law, But No GDPR, Law 360 (Sept. 26, 2018, 7:40 PM), https://www.law360.com/articles/1086064.)) Google, Amazon, Apple, Twitter, AT&T, and Charter Communications claim to be supportive of the prospect of uniform privacy law in the United States. ((Id.)) The representatives from these companies even agreed to assist the Senate Committee on Commerce, Science, and Transportation in creating a uniform federal privacy law. ((Id.)) While the representatives of these companies are all in favor of a uniform federal law for privacy that would take priority over state privacy law, they do not think that it should be modeled after the European Union’s GDPR. ((Id.)) This is because several of the representatives from the hearing believe that the GDPR has “stifled innovation with its time-consuming compliance regulations.” ((Id.)) The representatives themselves did not all agree on what a uniform federal privacy law would look like. ((Id.)) Only one representative supported a blanket “opt in” rule, where users must actively consent to sharing their data, similar to the one the GDPR has. ((Id.)) The disagreement between leading companies in the field at this hearing signals the long road ahead of Congress when drafting a uniform federal privacy law.
If the leaders of the tech industry come to an agreement on how they would craft a uniform privacy law, there would still be much difficulty in getting a law passed. The passage of such a law is largely dependent on the future political climate because the current party in control tends to favor a limited amount of regulation over industry. Due to the scandals that have taken place, including the ones Facebook was involved in, both Democrats and Republicans have been in support of the possibility of uniform federal privacy law. However, this does not mean the parties agree on the specifics of the law. The Trump administration has said they would like a law that balances “privacy and prosperity.” ((Marcy Gordon, Senate Panel Opens Hearings on Crafting US Privacy Law, Fed Times (Sept. 26, 2018), https://www.federaltimes.com/federal-oversight/congress/2018/09/26/senate-panel-opens-hearing-on-crafting-us-privacy-law/.)) The strike of this balance is likely to be something that the two parties will struggle to agree about. In conclusion, Facebook and other tech companies are likely to continue business as usual in the United States for the most part. The changes they will have to make will be largely in Europe due to the enactment of the GDPR. They will also have to make changes when they conduct business in states, such as California, that have enacted their own data privacy laws, but federal law will likely not be enacted in the near future.
Latest posts by Lauren Collins (see all)
- Marketing Battles Spur Litigation: MillerCoors sues Bud Light - April 24, 2019
- Facebook and Data Privacy - February 23, 2019