The Fallout from Facebook – Mike Gillespie posts

• by Ellie Hurst
• Advent IM Blog

From Advent IM MD, Mike Gillespie

This week, following an extensive investigation into charges that Facebook Inc violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information, the Federal Trade Commission handed down a $5bn penalty to Facebook.  This is by far the biggest penalty ever handed down anywhere in world for privacy failures, it dwarfs the recent £44m Google fine handed down by the French Data Protection watchdog.  Facebook’s annual revenue and net income was $55.8 billion in 2018 with a net income of 22.1 billion. Based on those figures, this penalty equates to approximately 9%of their annual revenue and 25% of their net income, significantly more than the maximum penalty that could be handed down by any European watchdog under GDPR, and is one of the largest penalties ever assessed by the U.S. government for any violation.

Beyond the financial penalties, what is more interesting is that the FTC has clearly demonstrated a desire to hold the company accountable for the decisions it makes about its users’ privacy in the futures.  The FTC has required Facebook to submit to unprecedented new restrictions on their business practices and to implement a modified corporate structure around its approach to privacy from the corporate board-level down.  This also establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.

FTC Chairman Joe Simons said “Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices. The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.

“Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division “The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information.  This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.”

To my mind, it is the corporate governance element that is far more important that the levy of the financial penalty, big as that is.  This is because it mirrors what we at Advent IM have been saying for some years now.  Privacy and Data Protection, and indeed all of the information related disciplines such as information security and records management need to be seen by organisations as an integral and embedded part of how we do business, rather than a grudge buy or even worse a box to be ticked and then forgotten about.

In a statement on Facebook, Mark Zuckerberg said

“As part of this settlement, we’re bringing our privacy controls more in line with our financial controls under the Sarbanes-Oxley legislation. Our executives, including me, will have to certify that all of the work we oversee meets our privacy commitments. Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program. We’ve also asked one of our most experienced product leaders to take on the role of Chief Privacy Officer for Products.”

All information risk, and especially risks to privacy of the data subject must have clear oversight and ownership at board level and it is long overdue for security and privacy to be brought in line with other corporate governance mechanisms.  Moreover, organisations need to finally accept that security and privacy cannot be achieved through technology alone, but rather must be addressed through a whole scale overhaul of the organisations culture. Culture that begins at the very top of the organisation and that is then championed by leadership roles throughout the organisation. Culture that is visible, is real, is fully aligned to the core values of the organisation. Culture that is lived and breathed by every member of staff.

Only when organisations truly develop a culture where information is valued and is used in a way, especially when it comes to personal data, that is respectful of the fundamental rights and freedoms of the individual will we all benefit.