Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Facebook's FTC Privacy Settlement Challenged in CourtFederal Judge Still Considering Objections From Privacy Groups
Six months after Facebook agreed to a landmark privacy settlement with the U.S. Federal Trade Commission that included a record $5 billion fine, a federal judge is still considering objections from advocacy groups that claim the deal doesn't go far enough.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Judge Timothy J. Kelly has given Facebook and the FTC until Jan. 24 to respond to objections raised by several privacy and consumer advocacy groups, including the Electronic Privacy Information Center, which raised concerns about whether the settlement does enough to protect users' data and address privacy concerns, according to court documents filed in the case.
EPIC is asking the judge to send the agreement back to the FTC for reconsideration.
Facebook, the FTC and the U.S. Justice Department announced the original settlement in July. It calls for the social media giant to follow several privacy provisions over the next 20 years. These include creating an independent commission overseen by the company's board of directors that will take many of the user privacy decisions out of the hands of CEO Mark Zuckerberg, who is now required to summit quarterly and annual reports to the FTC about compliance with the settlement.
When the settlement was announced, many politicians in both parties, as well as consumer advocacy groups, argued that it gives the company too much control over user's data (see: Lawmakers, Privacy Advocates Slam FTC's Facebook Settlement).
The settlement must win court approval before it can be enforced. But Judge Kelly has given EPIC, as well as other privacy and citizens' rights groups, extra time to raise objections about the deal before making a final decision.
Complaints About Settlement
In its legal brief, EPIC's attorneys argue that the new settlement is not substantially different than the previous privacy settlement that Facebook and the FTC reached in 2012.
Under the original August 2012 consent order with the FTC, Facebook was required to obtain permission from consumers before making changes to privacy settings. That same agreement also barred the company from sharing the data of its users with third parties without their consent.
In March 2018, the FTC launched an investigation as a result of the Cambridge Analytica controversy over how the now-defunct voter profiling firm improperly obtained profile data for 87 million Facebook users without their consent (see: Facebook and Cambridge Analytica: Data Scandal Intensifies). That investigation ultimately led to the July 2019 settlement.
EPIC and others argue that the settlement is "not fair and not adequate." The consumer groups point out that it releases Facebook from liabilities regarding other privacy and user data violations that are not addressed, including the integration of personal data from WhatsApp, which the company owns.
"There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices," according to EPIC's brief. "This is almost unimaginable given the extensive evidence of ongoing privacy violations by the company, documented by EPIC and other consumer privacy organizations, as well as the more than 29,000 complaints against Facebook currently pending at the commission."
EPIC also objects to the mandatory privacy program that Facebook must enact as a result of the 2019 settlement. The group argues the program is not not substantially different than other privacy controls that were part of the 2012 settlement with the FTC. "There is no reason to believe this will be any more effective at preventing privacy abuses," EPIC states.
EPIC also argues that the 2019 agreement does not address some of the technologies that Facebook is planning to deploy, which includes facial recognition and the collection of other biometric data, the court papers show.
"The FTC settlement provision on facial recognition raises more questions than it answers," EPIC argues. "Does Facebook only have to show the notification once for each user? Can a user’s account be limited if they refuse to accept Facebook’s use of facial recognition? What about individuals who do not have Facebook accounts but whose images are uploaded to Facebook?"
While the judge overseeing the settlement is giving Facebook and the FTC until later this month to respond, the social media firm says that it's already working toward fulfilling its obligations.
In a statement provided to Information Security Media Group, Michel Protti, Facebook’s chief privacy officer of product, did not address the specific complaints that EPIC raised, but noted that the company is moving ahead even if a final order hasn't been signed by the judge.
"We are taking the necessary steps to implement this agreement,” he says. “We’ve put dozens of teams in place, made many of the necessary structural and technical changes and expanded privacy protections across our products. This agreement has been a catalyst for change within Facebook, and we are committed to this work for the long term."
In a statement to ISMG, a FTC spokesperson noted that "the settlement we announced this summer imposes a record-setting $5 billion penalty and requires widespread changes in how Facebook approaches privacy. This settlement will greatly benefit consumers, and we are confident the court will approve it."
James Kohm, the director of enforcement in the FTC’s consumer protection bureau, told the Wall Street Journal that the commission was aware of the complaints made by EPIC and others and argues that the July settlement addresses the issues raised.
Kohm added that he expects the judge to approval the settlement as drafted.
Meanwhile, Facebook is facing new criticism over its plan to allow political campaigns to target voters with advertisements and not police the truthfulness of those ads, according to the New York Times.
When Zuckerberg testified before a House committee in October, he was questioned by representatives about the role the company would play in the 2020 election, including allowing misleading political ads (see: Congress Grills Facebook's Zuckerberg on Cryptocurrency Plans).