ENTERPRISE | CONSUMER PRIVACY TIPS | DATA BREACHES & ALERTS | WHITEPAPERS

Facebook’s Criminal Case Has Big Implications for Privacy

The prospect of high profile criminal investigations for privacy breaches is going to raise the stakes in privacy compliance. The potential for jail time means organizations need to get off the bench and move beyond benchmarking.

The New York Times reported this week that Facebook faces a criminal investigation about its data sharing as a New York grand jury has issued subpoenas to two makers of smartphones and other devices that entered into agreements with Facebook to gain access to the personal data of Facebook users. This investigation appears to be separate from the investigation into Cambridge Analytica by the Northern District of California, which the New York Times reported is still active.

Grand jury proceedings are one of the first steps in a criminal case. They are used to determine whether criminal charges or an indictment should be brought against a defendant. They are closed to the public and the record is sealed. There has been no indication how long the proceedings have been going on but the media reports that are likely central to the investigation were first made in June.

Statistically, federal grand juries return an indictment an overwhelming percentage of the time. Some reports have put it as high as 98-99% of the time. However, given the high profile nature of this particular investigation, there may be more hesitancy among the jury members to return an indictment. Even if a criminal case is authorized, Facebook would be given the option to defend itself or settle the case.

Criminal cases can be brought against either corporations or individuals. Since details about the grand jury are not made public, it is unclear which corporate entities or individuals are the target of the proceedings.

There has also been a lot of discussion in the context of Congressional deliberations over a new federal privacy law around whether the Federal Trade Commission has sufficient authority to enforce the nation’s privacy laws. This has included concerns about the FTC’s inability to bring an enforcement action with monetary fines against first time offenders. However, the prospect of Justice Department criminal investigations into data privacy practices raises the implications for corporations around getting privacy practices wrong the first time. The prospect of jail time for individuals would immediately elevate privacy among corporate concerns.

Criminal penalties have been on the table in some of the largest compliance controversies for some time – from securities violations and the Foreign Corrupt Practices Act to health care fraud in violation of the False Claims Act. The fact that privacy is on this list is definitely a sign of the times – privacy policies are no longer something that can be written and forgotten in the course of the day to day activities of a business.

For those companies that were facing a consent order already, the FTC news earlier this year about pursuing a multi-billion dollar fine against Facebook from its Cambridge Analytica investigation no doubt got their attention.

Businesses that have not been the subject of a prior government investigation and are taking a wait and see approach to the implementation of changes to their privacy practices in the United States need to be questioning that approach in light of the government’s willingness to pursue a criminal case against Facebook. The news out of New York City must lead to conversations about whether there are areas for improvement in the short term (particularly around data sharing) while the government continues to debate the longer term regulatory changes.

All businesses, though particularly those with high profiles, sensitive data or even large amounts of data, need to make sure that they can defend their privacy practices in light of the higher stakes surrounding criminal investigations.

Facebook’s Criminal Case Has Big Implications for Privacy

Contact

888-252-5653

About

Consumers

Businesses