US, European Regulators Levy Massive Fines for Privacy Violations

This past week, the Federal Trade Commission (FTC) voted to approve a record-breaking $5 billion settlement with Facebook, resolving its investigation into the charge that the company violated a prior settlement with the Commission when it improperly permitted political data firm Cambridge Analytica to access 87 million users’ personal information.

Cambridge Analytica created personality quiz that accessed the data of Facebook users who took the quiz, as well as their friends who had not. Some of the data was then used to target US voters on behalf of the Trump campaign.

Pursuant to a 2011 consent decree, Facebook had agreed to clearly notify users regarding its privacy policies and to gain users’ express consent to share data. The consent decree also permitted the FTC to fine Facebook for up to $40,000 a day per individual violation, which, given the number of people affected by the Cambridge Analytica scandal, could have amounted to a fine as high as $2 trillion.

A number of Democratic lawmakers and other critics have alleged that the settlement does not go far enough. They note that although $5 billion is, by far, the largest fine the FTC has ever imposed against a technology company, it is merely a slap on the wrist for Facebook, with its reported 2018 revenue of almost $56 billion. The settlement is expected to include some further restrictions on Facebook’s conduct, although the precise terms have yet to be made public, and some critics have warned that it is unlikely to place broad restrictions on Facebook’s ability to share data with third parties or to hold top executives like Mark Zuckerberg personally responsible.

The UK Information Commissioner’s Office (ICO) has also begun imposing significant fines on companies for violations of the General Data Protection Regulation (GDPR), which went into effect across the EU in May 2018. British Airways, which experienced a security incident that led to the theft of customer data in September 2018, is expected to face a fine of approximately $230 million (amounting to 1.5% of its annual turnover), while Marriott International, which suffered a data breach first reported in November 2018, faces a $124 million fine (0.6% of annual revenue for 2018). The GDPR allows fines of €20 million or up to 4% of a company’s annual turnover, whichever is greater, meaning that even larger and more onerous fines could be imposed in the future.

Notably, the Marriott data breach occurred in 2014 in the systems of Starwood Hotel Group, which was acquired by Marriott in 2016, after the breach had occurred. However, it took two years for the breach to be discovered and disclosed to authorities, which the ICO claims shows a failure to undertake sufficient due diligence and to properly secure systems post-acquisition. The size of the fines indicates that the ICO is ramping up its enforcement and seeking to push major companies to make serious commitments to and investments in their data privacy infrastructure.

In this regulatory environment, companies cannot afford to be complacent regarding their data security. Due diligence, a robust security apparatus and response plan, and cyber insurance are important tools for any company that is tasked with protecting personal information.