With no clear liability against Facebook, professor calls for stronger data privacy laws

Photo illustration by Matthew Modoono/Northeastern University

The Federal Trade Commission announced Tuesday that it has opened an investigation into Facebook after a data analytics firm collected the private data of more than 50 million users.

Cambridge Analytica, the data company hired by the Trump campaign in 2016, has been accused of taking private information unbeknownst to users. The FTC will investigate whether or not Facebook violated a 2011 consent order with the FTC over its handling of user data and how the company notifies changes to its terms of service.

What is the basis of the FTC investigation into Facebook?

In 2011, Facebook signed a contract with the FTC called a consent order. It’s an agreement in which Facebook promises not to make any misrepresentations about privacy or data security, to give notice to users if it uses certain nonpublic information, and to create a comprehensive privacy program. This complicates the investigation because if you look at the text of the consent order, it’s actually not immediately clear whether Facebook’s actions violated any of the terms of the consent order.

It is likely that the FTC is going to investigate, put public pressure on Facebook, and probably force a little transparency from the social network. But I’m not entirely sure that the result of that investigation is going to lead to a conclusion that Facebook violated the consent order. If you look at the facts that have been reported so far, the system worked exactly as Facebook intended it to. Facebook had a process by which third parties could collect data on Facebook users who agreed to share data with those third-party developers. The system was designed to allow massive amounts of information to be collected on Facebook users under the auspices that permission was given in hard-to-find boilerplate terms of use that nobody reads. The real problem is a breach of trust by the developer who collected the information.

Whether users’ privacy settings were visible is another question.

So then is this necessarily a legal case?

Privacy law in the United States is multifaceted. The FTC is the main enforcer of privacy within the U.S., but there are also common law torts that might be relevant. There are also breach-of-contract claims that might be relevant. There are disclosures that Facebook is required to make to other administrative agencies, like the Securities Exchange Commission (SEC).

I’m not entirely sure that the result of that investigation is going to lead to a conclusion that Facebook violated the consent order.

Woodrow Hartzog, Law professor

It’s possible that liability can be found on several grounds. There are state data-protection laws and security laws that might be implicated here. There are also several possible theories of liability here. One is that Facebook didn’t adequately follow up when it was notified of a possible breach of the terms of services agreed to by the developers when they get access to user data. In other words, it’s a failure of due diligence, not necessarily a deception case.

There are multiple possible liabilities in this situation, but looking at the facts as reported I’m not sure which, if any, are clear-cut cases of liability. And what this shows is that there is an entire category of problems involving user data for which there is not a clear remedy in U.S. law. This should put lawmakers on alert and nudge them to create new laws, like a national privacy law. Or maybe it involves broadening and strengthening the authority of the FTC. Right now, the FTC acts on relatively limited authority to police these practices as compared to Europe, where the General Data Protection Regulation (GDPR) has very broad powers of enforcement.

How realistic is it for Facebook to enforce its terms of service, given the scale of its users?

This is one of the harder questions. It may be true and very possible that enforcing its terms may require Facebook an incredible expenditure of resources and time. But when the law is deciding where the obligation should lie, it should lie on the company that created the system to facilitate it.

The straightest path forward is to finally push through a federal data privacy law.

Woodrow Hartzog

It’s incumbent upon Facebook to figure out a way to adequately verify these third-party companies, and if there’s no way to adequately verify them then maybe we need to revisit the practice altogether. Otherwise, we’ve created a system with an imprimatur of legitimacy that Facebook ostensibly has these rules that you’re theoretically supposed to follow. But if there’s no follow up and no accountability, then it’s, in practice, creating a free pass for companies to violate the terms without any fear of meaningful enforcement.

This had wide-reaching implications for the 2016 election, but it seems that it has broader implications about personal data in general. How does the United States move forward in protecting privacy and user data?

The straightest path forward is to finally push through a federal data privacy law, which is an initiative that has been attempted several times. But for various reasons, there hasn’t been enough political will to push it through. This issue might give lawmakers the impetus to finally do so.

In addition to the FTC investigation, both the Massachusetts and New York attorneys general are looking to also investigate Facebook. How will that play into the FTC inquiry?

At the federal and state levels, when it’s a fairly large investigation you may see cooperation between the state and federal agencies. It wouldn’t surprise me if the FTC started working with the state attorneys general to coordinate an investigation because the rules that the states have are in harmony with the rules at the federal level. It’s important to watch and see what coordination may take place because in some instances, the state attorneys general have even more power than the FTC and are able to move with a little more agility in ways that can help bring about some sort of accountability. It wouldn’t surprise me to see states lead the way here, particularly if it comes out that the FTC is limited because of the governing consent order that they have with Facebook.