Privacy compliance might no longer be the same after the $ 5 billion fine against Facebook to be issued by the Federal Trade Commission following the Cambridge Analytica case.
The $ 5 billion FTC privacy fine against Facebook
The facts of the Cambridge Analytica case are quite well known. In March 2018, news had emerged that an English research company, Cambridge Analytica, had used the data of 87 million Facebook users to analyze their personalities. Through psychological profiling, they had the goal of influencing the 2016 American elections.
The Cambridge Analytica scandal led to investigations from the primary data protection authorities. And ultimately the Italian Garante had issued a € 1 million fine against Facebook (Read on the topic “Facebook receives € 1 million privacy fine for Cambridge Analytica scandal in Italy“).
But also the US Federal Trade Commission started an investigation. And – according to the press – they now approved a settlement providing a fine of roughly $ 5 billion for the privacy breaches committed by Facebook. The US Justice Department still needs to approve the settlement, but it rarely rejects settlements reached by the agency.
What’s the impact of Facebook fine on the future of privacy compliance?
The Facebook fine comes during a period of groundbreaking data protection fines, which considerably exceeding the € 50 million GDPR fine issued by the CNIL. This scenario happens when, after the first months following the effective date of the GDPR, privacy authorities restarted their investigations through dawn raids that are becoming substantially more aggressive. Indeed, the principle of accountability places the burden of proof of proving the performance of the appropriate data processing activities on the investigated party (Read on the topic “Top 5 immediate actions to get ready for privacy dawn raids“).
It might be the heat of the summer, but it could be instead a sort of alarm for companies to take data protection compliance more seriously. After the rush of “showing” GDPR compliance during the months before the 25th of May 2018, several companies had
- completely closed their GDPR compliance program,
- left DPOs as sole guardians of privacy compliance, even if they are data protection officers of large groups, are based in countries different from the ones of the companies that they are meant to monitor, don’t even speak the local language and don’t know much as to the local level of privacy compliance;
- considerably reduced (if not canceled) the budget allocated to data protection compliance, assuming that everything required was done; and
- appointed some privacy champions in the business units that only attended a one-day training on privacy compliance and often even ignore their appointment.
The scenario above does not apply to just small companies. But – based on my experience – it is quite frequent in multinational companies, especially if they have the headquarter in the United States.
The required change in the approach to data protection law compliance is a cultural change. I still hear very reputable professionals proudly stating
“privacy doesn’t exist anymore“
because of the invasive processing of personal data by online companies.
But privacy is not the same as data protection, and data protection does not mean confidentiality. Data protection means that the personal data have to be processed transparently, and only within the limits and subject to the conditions provided by the applicable regulatory framework.
Individuals need to be able to understand
- what personal data are collected;
- how personal data are processed;
- when personal data are processed;
- by who personal data are processed; and
- to whom personal data are communicated.
This simple paradigma requires a change in the operation of companies, but especially a cultural shift that needs to start from the top management of companies.
My frequent motto is that our goal as data protection lawyers is to
“find the legal justification to let our clients do what they want to do“
The proper identification of the legal basis supporting a data processing activity can make a huge difference at an age when data protection fines are “no longer peanuts“…
My top 3 main best practices arising from this caseIn my view, the main points to consider are
- A formal approach to data protection law compliance is not sufficient. Companies need to adopt internal organization to monitor privacy compliance, as well as procedures and technical measures that clearly indicate to employees what to do with personal data and how to do it are needed. And a periodic audit of the compliance with them is necessary;
- Any investment of data protection law compliance would not be a waste of money if not followed by a cultural change that needs to come from the top management, as otherwise, it will only appear as a new useless obligation to be by-passed; and
- Data protection law compliance can look like a cost for operations. But if companies are wisely advised, it can become a competitive advantage at an age when data are exponentially becoming a valuable asset.
At the age of digital transformation, data protection compliance is a continuous work in progress. But the general principles of the GDPR might enable the identification of solutions to most of the innovative projects that a company wants to run.