Amid calls by privacy advocates for greater oversight of the data handling practices of big tech firms, the U.S. Federal Trade Commission (FTC) has imposed a record five-billion-dollar penalty on Facebook Inc. for user privacy violations, and unprecedented new restrictions on Facebook’s business operations.
The massive fine follows a sweeping investigation by regulators into how the social media company lost control over massive troves of personal data and mishandled its communications with users in a series of high-profile data breaches over the past few years, including the recent Cambridge Analytica scandal.
The $5 billion civil penalty, which goes straight to the U.S. Treasury, is the largest fine in FTC history.
"The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC," said FTC Chairman Joseph Simons in a statement. "The relief is designed not only to punish future violations but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continued violations."
FTC Accusations Against Facebook
Among the numerous charges the Federal regulator accused Facebook of doing was storing millions of user passwords in plain text, without encryption, which exposed users passwords to greater risk of unauthorized access.
Facebook also allegedly misused phone numbers provided for two-factor authentication that was supposedly required to enhance account security to also target advertisements to its users.
Additionally, the FTC alleged that Facebook deceived "tens of millions of users" by implying that a facial recognition feature on the service had not been enabled by default, when in fact it had.
The Federal bureau responsible for consumer protection and the elimination of anticompetitive business practices also alleged that Facebook "used deceptive disclosures and settings" that eroded user privacy, violating a prior agreement it signed with the commission in 2012.
"We've agreed to pay a historic fine, but even more important, we're going to make some major structural changes to how we build products and run this company,” Facebook CEO Mark Zuckerberg said in a Facebook post. “We have a responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry."
New Privacy Oversight Terms
As part of the settlement with the FTC, Facebook agreed to stringent orders to restructure its approach to privacy from the corporate board-level down, and it accepted greater oversight of its privacy practices on its services, including Instagram and WhatsApp.
The social network's corporate board must now form a privacy oversight committee made up of independent members who cannot be fired by Zuckerberg alone.
That committee will be charged with appointing other officials who must periodically and truthfully certify that Facebook is complying with the FTC agreement, or risk being held personally liable.
The new FTC agreement also states that a third-party entity will regularly review Facebook's data collection practices for the next 20 years.
That assessor's findings "must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management," the FTC said.
Other Big Tech Put on Notice
News of the massive fine puts other big tech on notice that any company failing to protect consumer data may now face greater legal risks than previously. The FTC fine highlights Washington's apparent commitment and ability to regulate Silicon Valley, as more regulators and lawmakers seek greater transparency and accountability from big technology companies.
Facebook — once a celebrated example of American ingenuity and the darling of policymakers — has moved from crisis to crisis on privacy and security matters. And with the power big tech companies like it wield over personal information and social movements, these companies are increasingly being seen as wielding too much power that is now being considered dangerous.
Critics of the $5 billion civil settlement — which amounts to only about a month's worth of revenue for Facebook — say it is not a huge enough deterrent for future data handling missteps by Facebook.
FTC minority members, Democrats Rohit Chopra and Rebecca Slaughter, in dissents against the commission’s majority decision to fine Facebook $5 billion, said they believed the fine was far too small, and that the FTC wrongfully gave Zuckerberg and Facebook COO Sheryl Sandberg a pass.
"Failing to hold them accountable only encourages other officers to be similarly neglectful in discharging their legal obligations," wrote Chopra. "In my view, it is appropriate to charge officers and directors personally when there is reason to believe that they have meaningfully participated in unlawful conduct, or negligently turned a blind eye toward their subordinates doing the same."
The majority decision, however, did pass the resolution that Zuckerberg and other appointed officials must periodically and truthfully certify that Facebook is complying with the FTC agreement, and submit quarterly and annual privacy certifications to the FTC.
"False certifications would subject Mr. Zuckerberg and the [designated compliance officers] to personal liability, including civil and criminal penalties," Simons said in a statement written jointly with the Commission's two other Republican members, Christine Wilson and Noah Phillips.
The FTC voted 3-2 to approve the $5 billion settlement, seemingly along party lines.