If 2018 was Facebook’s annus horribilis, then 2019 does not look a great deal rosier for the social media giant.
With its once-booming share price tumbling from $217.50 to just over $130 by the end of the year, chief executive Mark Zuckerberg’s headaches risk becoming a cluster migraine, with:
- allegations from special counsel Robert Mueller’s investigation that Facebook was used by malign third parties to spread disinformation during the 2016 presidential election. Zuckerberg informed Congress that the company has been working with Mueller;
- repeated accusations that Facebook failed to stop the spread of hate speech and incitement on its platform. Facebook responded that it had increased efforts to identify and remove content promoting hate, taking action against those who consistently share such content;
- the Cambridge Analytica scandal, with the claim that tens of millions of people’s data was wrongfully obtained and used;
- Mr Zuckerberg attending two days of questioning by members of Congress but refusing a similar request that he appear before parliament;
- Parliament obtaining – and subsequently disclosing – a series of internal emails passing between Facebook executives;
- privacy bugs leaving millions of users’ information unintentionally exposed;
- Facebook’s growth rate slowing each quarter as young users flock to alternative platforms; and
- consumer campaigner Martin Lewis bringing a legal action against Facebook concerning ads published on the platform (a claim that Mr Lewis dropped this month after Facebook agreed to institute a scam ads reporting button and donate £3m to a new Citizens Advice project).
Meanwhile, in the UK Facebook plans to fight an Information Commissioner’s Office ruling with an appeal to the first-tier tribunal which is expected to be decided over the coming months.
In October, the ICO announced that the network had been slapped with a £500,000 fine for its part in the Cambridge Analytica scandal. Although this sum is a pittance for a business that boasted quarterly net income of more than $5bn to the end of September, it nonetheless holds the dubious honour of being the largest fine ever issued by the data regulator (and the maximum fine permitted under the now-superseded Data Protection Act 1998, under which the action had been brought).
The ICO found that Facebook had processed its users’ personal data unfairly by ‘allowing application developers access to their information without sufficiently clear and informed consent’ and had neglected to keep personal information secure, by failing ‘to make suitable checks on apps and developers using its platform’.
Those shortcomings had allowed one developer to collect the Facebook data of up to 87 million worldwide users of the networking site. The ICO concluded that the personal information of at least a million UK Facebook users was among that obtained, and therefore put at risk of additional misuse. The regulator also found that even when the misuse of the data was discovered by Facebook in December 2015, it did not do enough to ensure those who held the data had promptly taken steps to delete it.
The thrust of Facebook’s argument in its appeal against the ICO’s ruling is that although the regulator’s investigation principally concerned the potential misuse of UK citizens’ data in the context of the Cambridge Analytica scandal, it had not in fact established that data belonging to UK Facebook users had ever been shared with Cambridge Analytica or its affiliates. Facebook is effectively contending that without such evidence, the heart of the ICO’s case against it does not even relate to the events surrounding Cambridge Analytica.
Anna Benckert, Facebook’s associate general counsel in Europe, is reported to have said that the ICO’s reasoning ‘raises important questions of principle for everyone online which should be considered by an impartial court based on all the relevant evidence’. However sympathetic – or unsympathetic – one might be to Facebook, it is hard to disagree that the issues raised are part of a broader contemporary debate about the relationship between individual rights and new media.
It is fair to say, too, that the landscape is looking a lot more perilous for web companies generally, not least in relation to the risk of data breaches.
In the wake of the Facebook case and other high-profile ones, the coming year is likely to see much greater focus on organisations’ duties to handle data lawfully, and scrutiny of whether they are living up to these duties.
Coupled with this, the coming into force last year of the GDPR (and at national level, the Data Protection Act 2018), has strengthened the regulator’s powers, vastly increasing the maximum financial penalty it can impose on a ‘data controller’ found to be in breach to £17m (€19.6m) or 4 per cent of its global turnover.
Indeed, 2019 might well become the year in which we find out not just how the GDPR will be interpreted by courts and regulators, but where the real risks lie for web giants trying to navigate the new legislative regime.
Dominic Garner is a senior associate at Carter-Ruck