After months of negotiations, Facebook has reached an agreement with the Federal Trade Commission (FTC) that provides a comprehensive new framework for protecting people’s privacy and the information they give to Facebook.
The agreement will require a fundamental shift in the way Facebook approach their work and it will place additional responsibility on people building products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything Facebook has ever done before.
The accountability required by this agreement surpasses current US law and will become a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that Facebook does meet these new requirements. Going forward, the new approach for privacy controls will parallel the approach for financial controls, with a rigorous design process and individual certifications intended to ensure that Facebook’s controls are working — and that they find and fix them when the controls are not.
In reaching this settlement, Facebook has agreed to pay a $5 billion penalty — multiple times what any previous company has paid the FTC — in order to resolve allegations that they violated their 2012 consent order.
The FTC’s investigation was initiated after the events around Cambridge Analytica last year. The handling of this matter was a breach of trust between Facebook and the people who depend on them to protect their data. This agreement is not only about regulators, but it’s also about rebuilding trust with people who use Facebook.
Over the past year, the company made large strides on privacy. Facebook has given people more control over their data, closed down apps and applied more resources to protecting people’s information.
But even measured against these changes, the privacy program being built will be a step-change in terms of how Facebook handles data. The program will be more robust in ensuring that Facebook identifies, assesses and mitigates privacy risk. The program will adopt new approaches to more thoroughly document the decisions made and monitor their impact. Finally, it will introduce more technical controls to better automate privacy safeguards.
As part of this effort, Facebook will be undertaking a review of their systems. They expect this process to surface issues that can be addressed accordingly.
Just this month, and in response to the FTC investigation, it was discovered that shortcomings in Facebook’s systems allowed some partners to continue accessing data to provide Facebook features on their products. While no abuse was found, the new agreement will help ensure against such risks going forward. Facebook will also be more diligent in how we monitor for abuse and will require developers to be accountable for the ways they use data and comply with our policies.
Transparency and accountability will be two driving concepts. There will be quarterly certifications to verify that their privacy controls are working. And where problems are found there will be a maximum effort in fixing these issues. The process stops at the desk of Facebook’s CEO (Mark Zuckerberg), who will sign his name to verify that work was done where promised.
A committee of Facebook’s board of directors will meet quarterly to ensure they are living up to commitments. The committee will be informed by an independent privacy assessor whose job will be to review the privacy program on an ongoing basis and report to the board when they see opportunities for improvement.
These efforts will occur under the watchful eye of the FTC and the US Department of Justice. The order imposes a number of reporting requirements to the Commission, which ensures that the FTC and the Justice Department will have clear lines of sight at any given point into how effectively Facebook are meeting their responsibilities.
Even with these new measures in place, Facebook knows they can’t fix all these challenging issues by themselves. To address this, they will formalise and expand their efforts to gain input from experts outside the company.
Facebook also had to resolve an ongoing investigation by the Securities and Exchange Commission (SEC). The SEC alleged that Facebook should have had better processes in place to ensure disclosure to investors of data abuse like what occurred with Cambridge Analytica. The SEC also alleged that, after they learned in late 2015 that a developer had transferred data to Cambridge Analytica in violation of policy, Facebook should have said something more about this abuse in their investor disclosures. The SEC’s interest in ensuring that they are transparent with their investors about the material risks faced, and this has already led to updates already in their disclosures and controls in this area. As part of the settlement with the SEC, Facebook agreed to pay a $100 million penalty.
“We have heard that words and apologies are not enough and that we need to show action. By resolving both the SEC and the FTC investigations, we hope to close this chapter and turn our focus and resources toward the future. Billions of people around the world use our products to make their lives richer and to help their organisations thrive. That makes it especially important that the people who use our platform can trust that their information is protected. This agreement is an unambiguous commitment to do that.”
Source: Facebook Newsroom