FTC Removes Facebook’s Past Privacy Auditor, Draws Congressional Skepticism
The FTC “effectively removed” Facebook’s independent privacy assessor (see 1912050065), Chairman Joe Simons wrote recently in a congressional letter. We obtained the document in response to a Freedom of Information Act request. Senators reached Thursday were skeptical that the FTC's $5 billion settlement resulted in meaningful structural change at Facebook.
PricewaterhouseCoopers conducted the social media platform's third-party privacy audit before the Cambridge Analytica scandal (see 1907240042). Though Simons' letter doesn't name the assessor, past documents identify PwC.
The agency “effectively removed assessors, in this case and others, by not re-approving those assessors who were insufficiently rigorous in their prior assessments,” Simons wrote in an Oct. 31 letter to Senate Commerce Committee ranking member Maria Cantwell, D-Wash., who had questioned the effectiveness of the agency’s settlement.
When asked about structural change at Facebook, Sen. Brian Schatz, D-Hawaii, laughed Thursday. “Facebook’s stock went up after the settlement, and that’s all you need to know,” he told us. The FTC, Facebook and PwC didn’t comment.
PwC shouldn’t have “been a privacy auditor in the first place,” said Center for Digital Democracy Executive Director Jeff Chester in a statement. “Simons did the right thing to remove them. What is needed is a truly independent expert who will be the watchdog that the public needs.”
PwC concluded in a 2015-17 audit that Facebook's privacy controls “were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information.” More than a year later, news broke that Facebook had allegedly enabled Cambridge Analytica to improperly access personal data from some 87 million users, despite the platform’s 2012 FTC order for previous privacy violations.
A 2019 agency fact sheet says Facebook “must have a stronger and more independent assessor.” The assessor must “look under the hood” to “judge the effectiveness of Facebook’s privacy program -- not rely solely on what management says,” the agency says. The fact sheet notes that only the company’s independent privacy committee and the FTC can approve or remove the assessor.
The Cambridge Analytica-related order, issued in July, dictates Facebook must hire an FTC-approved replacement before removing an assessor, subject to Consumer Protection Bureau Enforcement Division oversight. In deciding whether to approve an assessor, the agency examines qualifications, expertise, methodology, objectivity and independence. The order mandates initial and biennial assessments of Facebook’s privacy program from one or more qualified assessors.
“I thought the Facebook settlement should have been more," said Sen. Marsha Blackburn, R-Tenn. "Probably Facebook is going to -- like a lot of these big tech companies -- they’re going to continue to push the envelope until we slap their hand enough and pass a privacy bill and empower consumers.”
“It was the nominally highest penalty ever,” Senate Intelligence Committee ranking member Mark Warner, D-Va., told reporters. “Even with high penalties, if you don’t build in long-term structural changes, if some of these actions can fall into the cost of doing business, you’re not going to have structural changes.” Warner doesn’t entirely blame Facebook because Congress didn’t set the framework. It’s not fair to rely on the “goodwill of [Facebook’s] instincts as opposed to giving them some rules of the road,” he said.
“There’s no indication of significant structural reform at Facebook,” said Sen. Richard Blumenthal, D-Conn. “One of my complaints about the settlement is that it failed to require that kind of reform.”