US regulator imposes fine on Facebook more than double the GDPR maximum

Following a settlement last week the US Federal Trade Commission has imposed a fine of $5bn on Facebook in relation to its privacy law violations in connection with the Cambridge Analytica scandal. The sheer scale of the fine, more than twice the maximum level possible under GDPR, and the market reaction to it raise a number of interesting questions.

Following a settlement with Facebook last week, the Federal Trade Commission (FTC) approved a $5bn (roughly £4bn) fine against Facebook in relation to an investigation into privacy law violations by the company. The FTC probe began in the wake of the Cambridge Analytica scandal following revelations that Facebook allowed Cambridge Analytica to access the data of 87m users, most of whom had not consented to such use.

The fine represents approximately 8.33% of Facebook’s worldwide turnover - which is over twice the maximum possible penalty that can be imposed under the GDPR for even the most egregious of conduct (a maximum of 4% of global turnover). It is also vastly higher than the FTC’s previous record fine: $22.5m against Google in 2012.

This puts the recent announcements of the first significant GDPR fines into perspective; the fine of £183.39m that the UK Information Commissioner’s Office imposed on British Airways last week only represented a (comparatively) measly 1.5% of BA’s global turnover. This suggests that, despite GDPR being touted as the “global gold standard” in data protection, it remains the case that fines in the US may be significantly higher than their European equivalents.

Facebook is worth MORE following $5bn fine

The contrasting reactions - in the markets and the press - to the recent announcements of the FTC’s fine against Facebook and those of the ICO against BA and Marriot International, Inc illustrate the gulf in expectations as to the level of fines on either side of the Atlantic.

Where news of the fine against BA caused the share price of its parent company IAG to fall by 0.8% (to 452.7 pence) Facebook’s share price went up by almost 2% after the settlement was first reported (closing at $204.87 each) - effectively adding $10bn to its market value. Where the BA fine was reported as being unprecedented and a dramatic escalation by the ICO, the FTC fine was challenged by members of Congress as being “inadequate” and a “victory for Facebook”, which (really) it is; the biggest FTC fine in US history increased Mark Zuckerberg’s net worth by around $1.8bn1.

The seeming inefficacy of the fine against Facebook may have led to coruscating coverage in the press but makes sense in light of differing market expectations. Prior to its announcement of the intended fines against BA and Marriott, the ICO’s previous highest fine was for £500,000 against Facebook last year. These fines represented a significant escalation. They went (quite possibly intentionally) against the grain of what the market has previously expected of the ICO (see our articles here and here). By comparison, Facebook had already set aside $3bn ahead of the FTC fine having estimated that it was set to lose $3-5bn as a result of the investigation. US regulators (albeit not the FTC) have form for imposing dramatically higher penalties than their European counterparts and, it appears, that market analysts had priced in a fine of at least this level and possibly also the risk of a larger fine or further action still. Confirmation of the fine, despite its enormity, would have drawn a line under that risk and potentially in the minds of analysts (not necessarily correctly) the risk of further regulatory ramifications.

It does however raise questions as to how data privacy regulators will seek to influence firms such as Facebook in the future. A regulatory fine’s purpose must ultimately be to provide negative consequences for unlawful conduct and to incentivise future compliance. Arguably, the FTC’s (objectively gigantic) fine has not done so. This inevitably calls into question whether GDPR fines (inevitably lower than that imposed by the FTC) will be too low to be an effective regulatory tool against major tech firms.

On the topic of regulating large tech firms, Britain’s Information Commissioner, Elizabeth Denham, was reported last week as stating, at a conference of key European privacy and competition regulators in Brussels, that “we need to change the business model, and fines are not going to do it.” Denham has also been reported as suggesting that her office was looking at 12 further significant cases and we have heard it suggested that there are 8 further fines potentially being announced in the coming weeks. It is apparent that GDPR fines are not going away but it will be interesting to see how European regulators respond to the dilemma posed by the sheer scale of the largest tech firms in the coming years.

1 Based on a reported 18% shareholding

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.