WASHINGTON: US officials have approved a record $5-billion settlement with Facebook to resolve the Cambridge Analytica data privacy scandal, prompting an outcry from lawmakers and privacy advocates who said it didn’t go far enough.
Although details of the settlement with the US Federal Trade Commission (FTC) weren’t announced, the fine is steep but far from devastating for Facebook. The company, which reported revenue of almost $56 billion in 2018, said earlier it had set aside $3 billion in anticipation of the fine.
“This reported $5-billion penalty is barely a tap on the wrist, not even a slap,” said Senator Richard Blumenthal, a Connecticut Democrat, who called for a hearing on the agreement. “Such a financial punishment for purposeful, blatant illegality is chump change for a company that makes tens of billions of dollars every year.”
The FTC settlement was approved by a vote of 3-2, according to two people who asked not to be named because they weren’t authorised to speak publicly about the decision. The agreement still needs approval from the US Justice Department.
The resolution caps an investigation that opened in March 2018 after news that Cambridge Analytica, a consulting firm hired by President Donald Trump’s campaign, obtained user data from a researcher who created a personality quiz app on the social network.
The settlement marks the most significant action yet against Facebook over a series of mishaps that have compromised users’ data and sent the company reeling from one crisis to another. The FTC’s two Democratic commissioners, Rebecca Kelly Slaughter and Rohit Chopra, voted against it, according to one of the sources.
Slaughter, Chopra, Facebook and the FTC declined to comment.
The job of defending the settlement will fall to FTC chairman Joe Simons, who has tried to avoid split enforcement decisions as head of the agency.
While Facebook had agreed to give its board oversight of its privacy policies, CEO Mark Zuckerberg is the controlling board member with nearly 58% of the voting power. The board also includes Facebook’s other top executive, chief operating officer Sheryl Sandberg. The two already have power over the company’s privacy policies.
Public-interest groups including Public Knowledge, Public Citizen and the Open Markets Institute said any deal with the FTC should impose remedies that would rein in Facebook’s data collection practices in addition to a fine.
“Something clearly has to be done to strengthen the data protection practices of that company,” said Marc Rotenberg, president of the Electronic Privacy Information Center, which filed a complaint against Facebook that led to the FTC’s 2011 consent decree with the social-media company that addressed a litany of deceptive practices.
The tech industry group NetChoice praised the fine, saying it would motivate companies to improve their privacy practices.
The Cambridge Analytica incident stems from a personality-quiz app offered to Facebook users by a Cambridge University researcher. About 270,000 people downloaded the app, allowing the researcher to access data about those individuals and their friends. The information was subsequently sold to Cambridge Analytica.
Even as it resolves the FTC privacy inquiry, Facebook is still grappling with regulatory scrutiny on several other fronts — including the prospect of a new investigation by the FTC’s antitrust section. One area of focus is likely to be the company’s acquisitions of the photo-sharing app Instagram and the WhatsApp messaging service.
Other leaky controls have also come to light. Facebook acknowledged giving big tech companies like Amazon and Yahoo extensive access to users’ personal data, in effect exempting them from its usual privacy rules. And it collected call and text logs from phones running Google’s Android system in 2015.
The company faces a slew of other investigations, both in the US and overseas, that could carry their own fines and, more importantly possible limits to its data collection. This includes nearly a dozen by the Irish Data Protection Commissioner, which oversees privacy regulation in the European Union.