Can fines rein in Big Tech? Privacy regulators spur a debate

May 8, 2019 | 2:20 PM

WASHINGTON — As they negotiate a record fine against Facebook, federal privacy regulators sparked a debate in Congress Wednesday over how effective such penalties can be in preventing future abuses by big companies.

Members of a House consumer protection subcommittee also gave a sympathetic hearing to the Federal Trade Commission’s request for greater powers and funding to police privacy.

“A large fine in a single case does not solve the problems that consumers face,” said Rep. Jan Schakowsky, D-Ill., chairwoman of the Energy and Commerce subcommittee, at a hearing with the five members of the FTC. She said the agency needs more funding and authority “at a minimum to restore consumers’ confidence.”

Rohit Chopra, one of the FTC commissioners, said that for some big companies, fines alone are a mere “parking ticket.”

“We cannot change behaviour without finding out who at the top caused those problems,” Chopra said.

Although Schakowsky and Chopra didn’t specifically mention Facebook, the giant social network was top of mind for lawmakers as the FTC appears close to ending its yearlong investigation of the company’s privacy practices and looks to punish Facebook for alleged violations of users’ privacy.

The question is whether big fines can be just a cost of doing business for huge companies, failing to deter bad conduct. The fine against Facebook is expected to run as high as $5 billion — stacked against the company’s revenue of $55.8 billion last year.

Rep. Michael Burgess, R-Texas, said even a large fine “is inconsequential for a company the size of Facebook.”

The FTC is considering a rare action to hold Facebook CEO Mark Zuckerberg personally accountable for Facebook’s alleged failure to honour a 2011 agreement over privacy lapses.

The agency also may limit how Facebook targets advertising to its massive user base — potentially making the action far more than a regulatory slap on the wrist.

Beyond the fine, comprehensive action by the FTC could mark a watershed in federal action against the tech industry in the name of consumer privacy.

By usual practice, the FTC — an independent agency — is split with three Republicans and two Democrats. FTC Chairman Joseph Simons has advocated tougher enforcement action against tech companies and must obtain the agreement of at least two other commissioners for any action on Facebook.

In his testimony, Simons urged the lawmakers to enact privacy and data-security legislation to be enforced by the FTC. The agency has brought more than 65 data security cases and 60 general privacy cases and helped return more than $1.6 billion to consumers in the fiscal year ended in October, Simons noted.

Lawmakers have started work on a new national privacy law that could sharply curtail the ability of the biggest tech companies to collect and make money off people’s personal data. The role of the FTC as an enforcer of privacy protections is a key issue in the debate over legislation. Consumer privacy advocates and Democratic lawmakers say the agency currently lacks teeth and have pushed for expanding its powers and funding.

The FTC doesn’t have the authority, for example, to levy civil money penalties for first violations for most unfair or deceptive practices. It can only issue orders halting the conduct, as it did with Facebook in 2011.

The agency would be expected to write new privacy rules should Congress pass a new law.

Behind the momentum for a new law is rising concern over a string of scandals and the compromise of private data held by Facebook, Google and other tech giants that have reaped riches by aggregating consumer information. The industry has traditionally been lightly regulated and has resisted closer oversight as a threat to its culture of free-wheeling innovation.

Republicans have generally opposed an expansion of federal authority, but in the wake of the Facebook and other privacy scandals, some have taken a more open view toward the FTC’s powers and funding. Some business groups are also proposing an expanded role in privacy protection for the FTC.

The 2011 consent decree with the FTC bound Facebook to a 20-year privacy commitment. Violations could subject the company to fines of $41,484 per violation per user per day. The agreement requires that Facebook users give “affirmative express consent” any time that data they haven’t made public is shared with a third party.

The agency started investigating Facebook’s privacy practices more than a year ago after reports surfaced that the British political consulting firm Cambridge Analytica had improperly accessed the data of as many as 87 million Facebook users without their consent.

Marcy Gordon, The Associated Press