While many stakeholders say the record-breaking $5 billion FTC penalty doesn’t go far enough to protect users’ privacy, the social media giant has been ordered to create an internal privacy oversight board.
The Federal Trade Commission announced a $5 billion settlement with Facebook last week, over charges the social media platform deceived users about their ability to control the privacy of their personal data. The settlement contains requirements for how Facebook controls and notifies users about its data use.
If approved by a federal judge, the settlement will resolve the massive FTC investigation into how Facebook both mishandled communications to its users and the loss of a mass amount of personal data.
Over the past few years, there have been an increasing number of reports that shed light on the social media giant’s privacy practices, including several involving personal health information. A complaint to FTC in December accused Facebook of misleading its users about the privacy practices of “closed health groups.”
Advocates argued the platform “deceptively solicited” patients to use the “Groups” function of Facebook to share their personal health information. They argued the company failed to protect the data uploaded in these groups, which potentially exposed the information to the public.
Meanwhile, a JAMA report showed that mental health apps may be sharing data with third-party apps like Facebook without explicit consent.
According to the notice, the yearlong FTC investigation has led the Department of Justice to file a complaint on behalf of FTC with similar allegations: that “Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.”
“These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook ‘friends,’” FTC officials explained.
What’s more, the investigation alleged that most users were unaware Facebook was sharing that information and did not take necessary steps of opt-out of the process. FTC officials also claimed the social media giant did not take necessary steps to deal with apps that were knowingly violating Facebook’s policies.
Under the 20-year settlement order, FTC will impose new restrictions onto the platform’s business operations, while establishing multiple compliance channels. The goal will be to create greater transparency into Facebook’s decision-making policies and hold Facebook accountable.
Part of that accountability will be reports for new or modified services that involve user data, including health information and biometrics. Facebook must outline the type of data to be collected, how it will be used, retained, or shared, while providing users with how they can consent to the collection of their covered data.
Facebook must also share any risks to the privacy, confidentiality, or integrity to the covered data and whether it will apply new safeguards to control those risks.
The platform will also be required to restructure its privacy approach from the board-level down and create strong mechanisms to ensure Facebook executives are held accountable for privacy decisions. Those decisions will also be subjected to meaningful oversight.
Further, the order will establish an independent privacy committee of Facebook’s Board of Directors, “removing unfettered control by Facebook CEO Mark Zuckerberg over decisions affecting user privacy.”
The new compliance teams will be mandated to provide the FTC with quarterly certifications that show the company is compliance with the privacy program mandated by the order, in addition to an annual compliance report. Decisions around users’ privacy must also be documented, in addition to the compliance team reporting breaches involving 500 or more users to the FTC within 30 days of discovery.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” FTC Chairman Joe Simons said in a statement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
The $5 billion penalty is the largest ever imposed on a company for violating consumers’ privacy, at nearly 20 times greater than any previous government settlement. FTC officials voted three to two to pass the resolution with two Democrats dissenting as they felt the settlement did not go far enough.
“Failing to hold them accountable only encourages other officers to be similarly neglectful in discharging their legal obligations,” Commissioners Rohit Chopra wrote. “In my view, it is appropriate to charge officers and directors personally when there is reason to believe that they have meaningfully participated in unlawful conduct, or negligently turned a blind eye toward their subordinates doing the same.”
Other industry stakeholders agreed, with the privacy advocate group EPIC filing a lawsuit on Friday to intervene in the FTC settlement, calling the settlement “neither procedurally or substantively fair.” Further, they argued it doesn’t contain adequate provisions to ensure consumer privacy and argued it’s “clearly not in the public interest.”
In the past, healthcare stakeholders have argued that social media platforms need transparent, privacy policies for healthcare data, which came in direct response to the Facebook scandal. The Department of Health and Human Services recently reiterated that third-party apps aren’t subject to HIPAA. However, when a patient requests the use of an outside app to share data, providers should outline known privacy risks.
Date: August 06, 2019