The fine approved by the FTC against Facebook on 24 July 2019 amounts to almost $5bn. It is far higher than any fine issued in the EU under GDPR so far, and could have been even higher, with Mark Zuckerberg also held personally accountable for the company’s conduct. To some extent, the decision shows that US authorities are starting to take privacy regulation at least as seriously as their counterparts in the EU; on the other hand, heavy fines do not go far enough to solve the market problem. While some regulators are starting to consider antitrust remedies, these have not yet taken a clear shape, and it will be some time before authorities figure out such an approach.
On top of a high fine, the FTC establishes much stronger oversight of Facebook’s privacy practices
The fine approved by the FTC against Facebook on 24 July 2019 amounts to circa $5bn. This exceeds the amount of money the company said it had put aside in its Q1 financial results ($3bn), and is much higher than any data protection-related penalty ruled by any regulator until now. To put things into perspective, the highest fine issued under GDPR so far has been €50m against Google, as decided by the French data protection authority CNIL, for a conduct the CNIL noted was still taking place at the time of the fine. Nonetheless, reports say it could have been way higher, and hold the company’s founder Mark Zuckerberg personally responsible for the misconduct. The new settlement will also involve the creation of a board committee on privacy, whose members cannot be fired by Zuckerberg alone; the committee will also have the exclusive power to remove any privacy compliance officer the company will designate. Facebook will also have to submit quarterly certifications of compliance with the privacy program mandated by the FTC’s order.
At the start of its investigation, the FTC said each violation could cost the company up to $40,000, i.e. $40,000 for every user for whom the FTC found that Facebook unduly shared their personal data. The inquiry aimed to find whether the company violated a privacy settlement of 2011. The settlement established five commitments for Facebook, which was required not to make misrepresentations about the privacy or security of consumers' personal information; to obtain consumers' “affirmative express consent” before enacting changes that override their privacy preferences; to prevent anyone from accessing a user's data more than 30 days after they have deleted their account; to maintain a comprehensive privacy program, to address risks associated with new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
After the Cambridge Analytica scandal, data protection authorities intervened, followed by antitrust authorities
The Cambridge Analytica (CA) scandal was simply too big to go unnoticed. It all started in the UK, with the data protection authority ICO investigating possible misuse of personal data with regard to the country’s referendum on EU membership during 2017. This led the ICO to fine Facebook by £500,000 in October 2018, specifying that the fine was that low only because the conduct occurred at a time when the GDPR was not yet in force. Regulators in several countries started taking action against possible data breaches of citizens in the respective countries. In the US, the FTC began its inquiry in March 2018 and, alongside the above mentioned $5bn fine, it resulted in the FTC suing Cambridge Analytica on 24 July 2019. In Ireland, where Facebook has its main European establishment, and where in turn the main competent authority to oversee Facebook is based, the DPC only started its investigation in October 2018, which is understood to be still ongoing.
Between the end of 2018 and early 2019, initiatives of data protection authorities and of antitrust authorities started to overlap. The Italian competition authority fined Facebook €10m for misleading subscribers about how personal data are used, and, more recently, the data protection authority issued a €1m fine in relation to the CA scandal, which indirectly affected 214k Italian citizens; and the competition authority in Germany mandated Facebook to stop combining user data from different sources, as the company also runs the Instagram and WhatsApp services. Finally, when the company announced it is building an integrated messaging platform across the three applications, the Irish DPC began an investigation, to ensure the plan happens in compliance with the provisions of the GDPR. Such overlap partly depends on the nature of Facebook’s business model, which not only requires scrutiny on the privacy front; it is also seen to create market barriers, thereby calling competition authorities to action. The cases of recent months are likely to be part of a longer trend, which will extend to the coming years while regulators grapple with the issue of how to solve the market problem without merely resorting to fines.
The company’s share price did not suffer significantly from the fine, as Facebook still faces little competition
The stock price of the company went up by 1.8% on the day of the announcement of the fine, which was still unconfirmed at the time of writing this note; it fell by 3.2% in the week that followed, however it started recovering at the beginning of this week, by rising 1.8% on Monday, 22 July) and is now close to its highest in its year to date, and of the last 12 months i.e. after the Cambridge Analytica scandal broke out.
Several factors contribute to explain the relatively limited damage. One of them relates to the end of the uncertainty around the fine, since the DOJ generally confirms the FTC’s decisions without requesting amendments, and there is no sign that this time could be different from previous cases. While the fine is higher than the sum set aside by the company at the end of Q1 2019, investors now have clarity as to how the penalty will impact the company’s finances. Another factor keeping Facebook safe from damages is the difference between 2018 and 2019, i.e. the realisation that data protection regulation alone, in its current form, does not affect the platform’s business model profoundly enough to cause significant disruption: while growth in user base in developed markets has significantly slowed down, Facebook has still seen an 8% increase in daily active users year-on-year, and a 26% increase in advertising revenue compared to Q1 2018. This is due to a lack of competitive pressure, since Facebook’s platform has no real rivals in its market. This means, on the one hand, that users who decide to leave do not have a real alternative, and on the other hand that Facebook has no market incentive to make significant changes to its business model. It is then not surprising that some regulators are starting to consider antitrust remedies, although no one has yet worked out which shape these could take; and that Facebook’s Vice President of Global Affairs and Communications, Nick Clegg, recently admitted the company warrants some form of regulation, but argued this should relate to data protection, political advertising, harmful content, and data portability, rather than breaking up the company.
