Following more than a year of speculation since the Federal Trade Commission announced it was investigating Facebook over privacy lapses, the regulator has officially announced the terms of its settlement with the beleaguered social network: $5 billion (as previously rumored) and improved privacy oversight within the company.
The order was approved in a 3-2 vote by the agency’s commissioners. The FTC notes that the penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy — as well as flagging that it’s “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide”.
In addition to the money, Facebook will have to create a board committee on privacy, and must provide executive assurance that user data is being respected.
“The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight,” the FTC writes in a press release announcing the decision.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC chairman, Joe Simons, in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
The FTC says the structure of its 20-year order against Facebook removes the “unfettered control” over privacy decisions exercised by CEO Mark Zuckerberg — by creating greater accountability at the board of directors level via the establishment of what it calls an “independent privacy committee”.
“Members of the privacy committee must be independent and will be appointed by an independent nominating committee,” it writes. “Members can only be fired by a supermajority of the Facebook board of directors.”
Facebook will also be required to designate compliance officers who will be responsible for Facebook’s privacy program.
“These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee — not by Facebook’s CEO or Facebook employees,” it writes. “Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.”
The FTC first confirmed that it was investigating Facebook in March of last year, during the then-new hubbub surrounding Cambridge Analytica’s abuse of data siphoned from the network. The regulator was specifically concerned that Facebook had been systematically violating the terms of its 2012 agreement, which barred them from a number of practices concerning user data.
Rumors started less than a year later that the fine the FTC was considering would be “record-setting,” though as many pointed out at the time, almost any conceivable amount would be easily (if not gladly) written off by the company, which brings in upwards of $50 billion per year in revenue.
In April, seeing the writing on the wall and perhaps privy to some of the conversations, Facebook set aside $3 billion to cover the costs of the settlement it knew was coming (it still made a $2.4B profit), but said it expected the number may actually be $5 billion. And indeed that is the number that surfaced two weeks ago in early reports of the FTC vote. (Some had suggested fines far higher, perhaps mitigated by good behavior, but the FTC doesn’t seem to have taken them up on the idea.)
Facebook has responded to the penalty in a lengthy blog post penned by Colin Stretch.
“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company,” he writes. “It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.
“The accountability required by this agreement surpasses current US law and we hope will be a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.”
Stretch goes on to describe the Cambridge Analytica data misuse scandal as “a breach of trust between Facebook and the people who depend on us to protect their data”, before claiming the company will adopt a new more “robust” approach to privacy risk.
“We will be more robust in ensuring that we identify, assess and mitigate privacy risk,” he writes. “We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards.”
He also says Facebook will undertake a review of its “systems” — which he says the company expects will surface “issues” — pledging that “when it does, we will work swiftly to address them”.
In the blog he also confirms Facebook has settled a separate investigation by the Securities and Exchange Commission — agreeing to pay a further $100M to resolve a probe of its processes for disclosing data abuses to investors.
“We share the SEC’s interest in ensuring that we are transparent with our investors about the material risks we face, and we have already updated our disclosures and controls in this area,” he writes, adding: “As part of the settlement with the SEC, we agreed to pay a $100 million penalty.
Developing…
from TechCrunch https://ift.tt/2Z520ua
via IFTTT
No comments:
Post a Comment