Law Blog

Understanding Facebook’s Data Breach: The Legalities and Action Taken

Facebook has been in hot water after it came to light that as many as 87 million users had had their private data scraped, sold, amalgamated, and run through machine learning devices to create profiles all without their knowledge and right under Facebook’s nose. The story has been everywhere, but the details go as follows. Back in 2013, a Cambridge University researcher made an app for use on Facebook called “thisisyourdigitallife.”

The app was a basic personality quiz and was taken by about 270,000 users. However, the app permissions settings policies in Facebook were much more permissive back then. The researchers simple quiz had permissions, after you installed it, to scrape the data off your entire Facebook profile and-more dangerously-the Facebook profiles of the people on your friends list.

Some 30 million of these profiles were purchased in 2014 by Cambridge Analytica–a company run by Donald Trump’s former campaign manager and adviser Steve Bannon. The information run through machine learning devices to create larger profiles for each individual and chart trend among them. This information was used by the Trump campaign in their marketing after Jared Kushner hired Cambridge Analytica in 2016.

This is far from the first bit of criticism Facebook has faced in recent years, the fake news issues for instance. However, this also isn’t the first time it has come out that Facebook had not taken the best care of its users’ private data. It’s not even the first time in the last decade that an app has been misused to mine data for a presidential campaign-the Obama for America app did something similar back in 2012.

The whole situation has led to massive legal and media blockback for Facebook and its CEO Mark Zuckerberg. Zuckerberg has spoken before Congress in the last couple days and has been called to speak before MPs, the UK Parliament, and more. The situation has given rise to lawsuits, potential legal and legislative action from the U.S. government, state governments and even governments abroad.

Legal Issues of the Breach Itself

There is an enormous amount of law that could be discussed here, so we’re going to focus on only the most immediately relevant to the situation. One of the central issues here, in terms of understanding Facebook’s legal duties to monitor the actions and content from their user’s posts revolves around a law that far pre-dates Facebook itself-the 1996 Communications Decency Act (CDA).

The CDA makes it so that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This shields Facebook, and all ISPs and similar websites from liability when it comes to the statements and posts of third parties. There are obviously several exceptions to this.

For instance content which infringes copyright gives rise to separate Digital Millennium Copyright Act safe harbor issues. However, it means that websites such as Facebook are generally immune to many legal claims over the actions of their users as they are not treated “as the publisher or speaker” of that third-party information.

The goal behind this is to help preserve a more robust internet as the reality of the situation is that it is very difficult for a large website to track the actions of all its users. However, it also provides a great deal of legal shelter to a site such as Facebook.

The CDA applies to activities which occur on the internet, the defendant is a “provider or user of an interactive computer service” (this includes websites), and the defendant website isn’t the source of the posted content. It provides protection to websites for essentially any user posting of information online. It also requires the website to not encourage illegal content or design their site to require the input of illegal content.

There are some additional complications to this. However, suffice it to say, social media websites benefit quite a bit from these sort of protections. While there are state by state privacy laws, there’s very little law limiting use of private data at a federal level.

Unless something illegal is happening, the CDA will cover a site such as Facebook when it comes to quite a bit of potential legal issues. Instead, most of the obligations of a site such as Facebook are self-imposed through their privacy policies and terms of service.

These rules have seen some recent changes with the FOSTA-SESTA Acts. However, these changes will have a minimal effect on Facebook’s overall duties to monitor and filter its user’s posts. FOSTA-SESTA mostly acts as a bit of an overbroad attempt to fight online sex trafficking by adding duties on the part of online platforms to police their users, a bit of an odd choice as there is already law on the books which serves the same purpose.

Private Legal Action Against Facebook

Even with protections such as the CDA in mind, there has already been private legal action against Facebook. A class action lawsuit was brought against Facebook, Cambridge Analytica, and Mark Zuckerberg himself on March 22nd.

The lawsuit has six counts including fraud and deceptive practices, breach of contract, negligence, intrusion upon seclusion, and charges under the Stored Communications Act (SCA)–part of the Electronics Communication Privacy Act, one of the few federal privacy laws.

To make a very complicated law simple, the SCA makes it a crime to access without authorization and share with the government the contents of a communication stored online–after a 2010 court case this includes social media messages but not posts on a wall or similar public communications.

The action alleges that Cambridge Analytica mined data with the intent of influencing the 2016 election and Facebook, despite recorded warnings from entities such as the Irish government as early as 2011, irresponsibly let it happen under their nose.

Federal Investigation and Potential Action

At a federal level, we’ve obviously already seen Mark Zuckerberg testify before Congress. However, that is far from the full extent to which the federal government can-and in fact is likely to-go. From potential fines to litigation, there is quite a bit still in movement here.

We already mentioned that this isn’t the first time Facebook has been in trouble over their privacy practices. There is no simpler example of this than the 2011 settlement they reached with the FTC over charges that Facbook had deceived its users by not following its own privacy practices. Under the settlement, Facebook must give it users “clear and prominent notice” and obtain user consent before sharing the user’s information.

They also threw in the most obvious bit, Facebook had to promise not to make any further deceptive privacy claims. Now the question will become whether the FTC will come after Facebook for violating this settlement-known as a consent decree in situations such as this. The fine for such a violation, under the agreement, could be as much $40,000 per user per day–considering this is 87 million users over the course of months that number could end up astronomical.

This has the potential to be the largest fine levied in the history of government regulation, it could even break a trillion dollars. In comparison, the current largest government fine of all time was an approximately $13B fine levied on JP Morgan Chase over its subprime mortgage practices before the recession.

This was followed by a $4B fine levied against BP after their enormous oil spill in the Gulf. This fine, if the FTC chooses to act, has the potential to dwarf both of those combined. This being said, there is little indication of where the FTC plans to go with, so we’ll just have to wait and see where this ends up in the coming days.

Additional federal action could come in the form of new legislation adding additional privacy requirements on online actors, something the U.S. has historically been extremely hesitant to do-especially in light of the push and pull between privacy and the First Amendment. This being said, there are already bills under consideration which may get another look from Congress in light of current events.

A bipartisan bill known as the Honest Ads Act was introduced late last year and would have required social media and other media to disclose which group is running a political advertisement in an effort to increase transparency. The bill has seen little action since its introduction, sitting in the Senate Rules Committee without action. However, it has been backed in recent days by a number of high profile entities such as Twitter and even Facebook itself. This may lead to Congress revisiting the provisions.

State Action in Light of Facebook’s Breach

Individual states have also begun to take action in like of recent events. For instance, California has already put an initiative on the ballot–opposed by Facebook and essentially all broadband providers–that would require companies to disclose what information they gather, how they sell it, and allow people some measure of input over what a given business can do with their data. They’re also seeking to introduce a law which would require social media platforms to identify bot accounts.

Action Taken Abroad

There has been enormous movement on privacy abroad recently, although not really in response to the Facebook situation. The EU has introduced what is almost certainly the most sweeping and powerful privacy protection law ever passed in the world–the General Data Protection Regulation or GDPR.

Taking effect May 25th, the GDPR has had online companies doing business in the EU moving quick to ensure they meet the law’s stringent privacy requirements. With substantial fines for failure to comply, the GDPR applies to all companies doing business in the EU and–among an enormous number of provisions too detailed to even scratch the surface of here–requires companies to maintain full transparency about what information they gather and why.

The users themselves have the power to access this data and can tell companies how they may use it and even have the companies delete that data.

What is Facebook Doing in Light of This Scandal?

As of now, Mark Zuckerberg has said in his testimony to Congress that Facebook will provide apps less access to data and require more transparency as to what data individual apps gather. They have already changed their political advertising policies and, again according to Zuckerberg, will be beefing up their security measures.

However, by Zuckerberg’s own admission, the issue will be a difficult one to completely address. Regardless of what steps are taken, the reality is that the road to eliminating data sharing and breaches is an extremely difficult one just based on the sheer scope of data out there, number of users, and the ever-shifting nature of security threats

As to legal steps on the issue within the U.S., there is a push and pull between limiting the dangers from the content on Facebook and ensuring the proper First Amendment speech protections when it comes to the government creating laws on this issue.

That being said, Facebook is completely free to limit speech, methods of use, etc. through its platform in essentially any way it sees fit through its privacy policies and terms of use. As a private corporation, they are not subject to the First Amendment limitations that the government is. Privacy protections in law are woefully lacking, but complicated to effectively craft. This is an issue should not be rushed, but getting it right is crucial to the ongoing existence of a healthy internet.

Jonathan Lurie is a Founding Partner of The Law Offices of Lurie and Ferri (Contact Info). He primarily handles business law, employment law, and intellectual property issues, but works with all types of civil matters. He is a Vice-Chair of the Sports and Entertainment Interest Group of the California Intellectual Property Section and has won awards for his knowledge of intellectual property, start-up business issues, and California civil procedure.