Facebook to pay record €4.5bn fine for privacy breaches
Facebook has agreed to pay a €4.5bn fine to the US Federal Trade Commission for shortcomings in its privacy practices.
The social media giant, which employs 3,000 people at its European headquarters in Dublin, has also agreed to add new corporate restructuring to better safeguard the privacy of its users.
The size of the fine may put a spotlight on upcoming decisions from the Irish Data Protection Commissioner, Helen Dixon, who is due to rule on several investigations into Facebook under GDPR law. Facebook has over 10 statutory enquiries under consideration from the Irish data authority, which acts on behalf of the European Union.
The US authorities say that Facebook had failed to prevent access to data from third-party companies, including Microsoft and Sony.
Under the settlement, Facebook’s board will create an independent privacy committee that removes “unfettered control by Facebook CEO Mark Zuckerberg over decisions affecting user privacy.”
Facebook also agreed to pay a fine of €89.7m to the US Securities and Exchange Commission to settle allegations that it misled investors about the seriousness of the misuse of users’ data.
Under the US agreement, Facebook will now be legally banned from asking for email passwords to other services when consumers sign up. It is also banned from using telephone numbers obtained in a security feature, like two-factor authentication, for advertising and must get user consent to use data from facial recognition technology.
Facebook said the deal worked out with the FTC would give the company “a comprehensive new framework for protecting people’s privacy,” and that it expected to find additional problems as it initiates a review of its systems.
“We've formally reached a settlement with the Federal Trade Commission about privacy,” said Mark Zuckerberg, Facebook chief executive. “We've agreed to pay a historic fine, but even more important, we're going to make some major structural changes to how we build products and run this company.
“Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.
“Our executives, including me, will have to certify that all of the work we oversee meets our privacy commitments. Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program. We've also asked one of our most experienced product leaders to take on the role of Chief Privacy Officer for Products.
“To implement this, we’ll have to review our technical systems to document any privacy risks and how we're handling them. Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we're taking to mitigate them. We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward.”
However, some regulators say that Facebook got off too lightly.
Democratic FTC Commissioner Rohit Chopra said the penalty provided “blanket immunity” for Facebook executives “and no real restraints on Facebook’s business model” and does “not fix the core problems that led to these violations.” Chopra and Democratic FTC Commissioner Rebecca Slaughter said the €4.5 billion penalty may be less than Facebook’s gains from violating users’ privacy.
“Until we address Facebook’s core financial incentives for risking our personal privacy and national security, we will not be able to prevent these problems from happening again,” Chopra said.
The FTC Republican majority argued the settlement “significantly diminishes Mr Zuckerberg’s power — something no government agency, anywhere in the world, has thus far accomplished.”