Privacy Regulators: It’s time to hold individuals accountable in Addition to Organizations

In Washington, D.C., the attorney general for the District of Columbia added Facebook CEO Mark Zuckerberg to a consumer protection lawsuit.  This has the potential to force the Facebook CEO personally to suffer financial and other penalties.  The Facebook CEO was not named initially in the suit, but the investigation provided attorney general Karl Racine with enough evidence that he was able to add the CEO individually to the lawsuit as a co-defendant.

Facebook and other tech companies are experiencing increased regulation on two fronts.  Enforcement has increased and the number of regulations with which they need to comply has increased as well.  Federal and state lawmakers have introduced additional bills to regulate social media companies.

Facebook has been involved in several legal proceedings, but the Mark Zuckerberg isn’t usually held personally accountable.  Facebook is unique in that the buck stops with Zuck.  He tends to be involved in the really important decisions.  During his investigation, Karl Racine felt justified in adding the CEO to the suit because of the CEO’s active role in some of the relevant key decisions for the suit.

As a preliminary matter, the Facebook CEO does in fact have more than 50 percent control of voting shares on the Facebook board.  As for his direct involvement, a change in 2010 that saw Facebook give third-party developers free access to Facebook’s user data was partially creditable to the CEO.  This sharing led to a chain of events in which an academic who was a third-party recipient of Facebook’s user data, turned the data over to Cambridge Analytica.  Even though Facebook knew that Cambridge Analytica had come into possession of the data, Facebook didn’t disclose the breach of user data for more than two years.

The lawsuit against Facebook was filed in December 2018 and alleges that Facebook misled consumers about the use of their personal information collected on the Facebook platform.  Facebook had been found to have allowed Cambridge Analytica to obtain sensitive data from more than 87 million users, including the majority of the residents of Washington, D.C.  From a damages perspective, the number of affected users is relevant.

In the D.C. litigation, fines can go as high as $5,000 per D.C. resident affected by the Cambridge Analytica data scandal. Washington, D.C. is home to 300,000 residents.  Doing the math, Facebook and its CEO could be exposed to a substantial amount of liability.

Mark Zuckerberg can’t be thrilled about the attention he has received lately in his role at Facebook.  In a recent hearing, the CEO was asked to testify about the harm that Instagram imposes on teenagers. Now he is being personally named in this consumer protection lawsuit.  It is important to caveat these occurrences with the acknowledgment that inquiries and allegations aren’t proof of wrongdoing.

The approach of Karl Racine, holding individuals personally responsible in addition to keeping the company itself responsible may be a necessary approach to achieve consumer protection goals.  It is an approach that will be tried in parallel in China with the Personal Information Protection Law (PIPL). It remains to be seen whether the individual incentive approach increases compliance.

With the amount of enforcement increasing alongside the number of data privacy laws that companies need to comply with, it is important to have a good understanding of your data.  Clarip can help with data mapping and data risk intelligence.  We also provide data subject access request fulfillment, consent management, and other privacy compliance functions.  Learn more by visiting us at www.clarip.com or call 1-888-252-5653 to schedule a demo!