At first glance, Facebook appears to have conceded quite a lot of ground to the Federal Trade Commission in the agreement it negotiated with the agency over its handling of user data. Among other things, the social network will now be required to obtain users’ affirmative express consent before making changes to the platform that override the user’s privacy settings. It will be barred from making false representations about the privacy and security of user data; it must establish and maintain a comprehensive privacy program; and, perhaps most significant, it must submit to an independent privacy audit every two years for the next 20 years.
Taken together, the new measures have the potential to constrain significantly Facebook’s ability to provide marketers with the sort of fine-grained ad-targeting data that could support premium ad prices, as well as the social network’s strategy of making content and information sharing by its users as seamless and friction-free as possible.
In reality, Facebook had little choice but to cut a deal with the FTC. But the deal it cut could end up paying dividends in the future.
The agreement with the FTC settles an eight-count complaint brought by the agency against Facebook that included serious allegations of unfair trading practices and breaches of U.S. privacy laws. With the company eyeing an initial public offering next April or June, eliminating the risk of a huge future financial penalty, to say nothing of the class-action lawsuits that inevitably would follow, was essential.
More to the point, apart from the every-two-year privacy audits, Facebook in all probability did not agree to implement any procedures it wasn’t already going to face significant pressure to implement — not from any U.S. authority but instead from the European Union.
The European Commission plans to introduce a proposed new EU privacy directive in January that would update and replace the existing EU directive that dates to 1995. Although details of the proposal are not yet available, EC VP Viviane Reding has made clear in public comments to date that the restrictions on what “data processors” can do with their users’ information will be at least as strict, and probably stricter, than anything the FTC (or for that matter the U.S. Congress) is considering.
Reding has also made it clear the Commission has Facebook squarely in its sights.
“I call on service providers — especially social media sites — to be more transparent about how they operate,” Reding said last week. “Users must know what data is collected and further processed [and] for what purposes.”
The new rules will apply to any company whose service is available to EU citizens, whether the company has a physical presence in any of the bloc’s 27-member companies or not. The directive will also aim to standardize privacy laws throughout the EU, eliminating the current patchwork of national laws and eliminating any opportunity for Facebook and other U.S. companies to play regulatory arbitrage by locating their European servers in the country with the least-restrictive policies.
From Facebook’s perspective, in other words, the 27-member EU is in the process of becoming a single, massively scaled-up market — as large or larger than the U.S. — with highly restrictive privacy laws. As a global platform, Facebook will likely need to conform all of its internal procedures to the new European rules.
The final form of those rules, however, are not yet set. The EC directive will need to be approved by the European Parliament and then implemented locally by each member country. By cutting a deal now with the FTC, Facebook probably gains some leverage for the long fight ahead with European regulators to shape the final rules and to carve out as much flexibility for itself as possible.
As onerous as the terms of the FTC deal seem, they mean Facebook lives to fight another day.