domeet webmaster

Facebook was investigated by the US Federal Trade Commission (FTC) in 2011 for illegal privacy statements regarding personal information protection. The two parties finally settled: Facebook promised not to make a false statement, and promised not to share its personal information with third parties before the user agrees.

However, Facebook has not completely covered the personal information protection loophole. In 2016, with an application on the Facebook platform, Cambridge Analytica collected personal information from approximately 87 million Facebook users. Based on these massive data, Cambridge analysis used the precision push to influence the 2016 US election, which caused an uproar in the United States. Facebook thus led to the FTC survey again.

Recently, the FTC announced a settlement with Facebook and made three penalties for the latter: First, a fine of $5 billion, which is equivalent to 9% of Facebook’s annual revenue, much higher than the European General Data Protection Regulations. The amount of the fine does not exceed the upper limit of 4% of the company’s global income.

Second, strengthen privacy compliance in various aspects, including restricting companies from abusing mobile phone numbers, restricting the collection and abuse of face information, strengthening the notification of personal information collection and use behavior, protecting users’ right to delete personal information, and strengthening personal rights. Information protection, etc. Third, an independent privacy committee, privacy compliance officer, and external privacy ombudsman are set up to monitor and report on Facebook’s enhanced privacy compliance.

At present, the FTC’s penalty is still subject to approval by the US Department of Justice, but by convention, the Justice Department usually does not oppose the FTC’s decision, so this will be the largest personal information ticket in history.

The main issue reflected in the Facebook case

First of all, “news customization” based on personal information can jeopardize national security. The main reason why the Facebook case was concerned by the US Congress, the government, and all sectors of society was that after the personal information was collected and utilized, the information received by the users was “tailor-made” and interfered with the 2016 US election.

With a variety of personal information such as gender, location, school or post content, Cambridge analysts and other companies can infer sensitive information such as religious beliefs and political tendencies. On this basis, such companies can accurately push carefully designed and guidedPolitical tendency to use information to induce voting behavior. Such induced behavior may play a key role because of the small gap between the two parties in the “swinging state”. This has slammed the electoral democracy that the United States has advertised.

Secondly, it is difficult to implement the protection of personal information by relying on “flexible” supervision. Before 2018, the protection of personal information in the United States relied mainly on the FTC, and the supervision of the FTC rarely imposed severe punishment. In most cases, the FTC will only require companies that infringe on personal information to stop the violation, promise not to commit it, and take steps within the enterprise to achieve the above commitments, or to submit reports on a regular basis to demonstrate the performance of the commitments.

In the 2011 survey of Facebook, the FTC made similar penalties. However, in the case of Facebook, the “flexible” handling of the FTC has had even more serious consequences. Therefore, after the incident, the American community called for severe measures against Facebook.

That again, under the “free” business model, relying solely on corporate self-discipline, personal information security cannot be guaranteed. Some FTC members pointed out that the core of Facebook’s business model is to record the various characteristics of users and every move, and then targeted advertising. Therefore, this company has always been eager for more personal information.

There is US media statistics: Facebook’s CEO Zuckerberg has repeatedly apologized to users in 2006, 2007, 2009, 2010, 2011, 2013, and 2018 for infringing on personal information of users. . However, Facebook’s protection of users’ personal information is still unsatisfactory. In addition, Facebook has been obsessed with the excessive use of personal information by app developers for a long time.

It is worth noting that political and business relations are affecting the protection of personal information in the US Internet industry. In recent years, American media and academia have often criticized the close ties between large Internet companies and the federal government. Some scholars have therefore proposed the concept of the “Medician cycle”: large Internet companies influence the operation of political power by means of lobbying, election donations, etc., and then expand their scale according to the bias of political power. The size of the business and the political influence of the company are mutually reinforcing.

In this FTC survey, Facebook stated in the quarterly report of the first quarter of 2019 that it has allocated $3 billion to $5 billion to deal with the settlement that will be there. The final number of fines did not exceed this range. On the day of the settlement, Facebook’s share price did not fall and rose. These phenomena indicate that Facebook and Wall Street have foreseen the content of the settlement. For Facebook, the penalty is mild: in the face of such widespread investigations, which are so unfavourable, the final fine is only one-third of its quarterly profit.

Finally, whether the punishment can curb the abuse of personal information is still doubtful. In addition to the settlement agreement, the FTC also releasedParticipate in the opinions of the decision-making committee. Two members raised sharp criticisms about the settlement: this fine is not too heavy compared to the profit of Facebook’s abuse of personal information; the top level of Facebook who knows and even participates in the abuse of personal information is not punished.

The settlement almost “forgives” all previous Facebook related violations; the privacy committee, compliance officer, and ombudsman required to settle the settlement are more likely to be “paper-based”. In the media, there are reports that the punishment was described as “light tapping.” If the penalty is not heavy enough, Facebook may not be completely corrected.

Impact on Personal Information Protection in the United States

At present, at the federal level, there is no general personal information protection legislation in the United States. Relevant laws are scattered in individual industries such as medical care and credit reporting, or only for specific groups such as minors. Therefore, the behavior of Facebook and Cambridge analysis can only rely on the FTC to impose a limited penalty.

According to the case, the federal unified legislation on the protection of personal information has become the consensus of the US public opinion, and the US legislative body has taken various measures.

Since 2017, a number of lawmakers have proposed draft federal privacy protection laws, including the Application Privacy, Privacy and Security Act, the Consumer Data Protection Act, and data accountability. The Data Broker Accountability and Transparency Act, the My Data Act, and more.

In addition, around the consumer data security and personal information protection legislation, since the end of 2017, the Senate and the House of Representatives have held hearings six times, to the Internet companies representatives, industry representatives, well-known scholars and other consulting. FTC has publicly solicited public comments on the amendments to the Children’s Internet Privacy Protection Act, and will hold a hearing in October this year to assess the need for revision and improvement. In addition, the American Law Society publicly released nearly 200 pages of the draft Data Privacy Law Principles in April this year.

However, considering the inefficiency of the US legislative system, the differences between the two parties, and the unremitting lobbying of technology companies, the relevant legislative process still takes a long time.

At present, only about 40 employees of the FTC are responsible for handling personal information related matters, and the problem of insufficient law enforcement personnel will become more prominent. On the one hand, the phenomenon of infringement of personal information in the United States is still very common; on the other hand, when the phenomenon of infringement of personal information involves large-scale Internet companies, it takes a lot of manpower and resources to conduct corresponding investigations.

FTC has to seek to increase its staff to cope with frequent personal information cases. However, because the Republican Party, which has a majority of senators, is opposed to regulatory expansion.Feeling attitude, FTC may not be able to expand manpower as expected. Faced with public calls for enhanced personal information protection, this will limit the coverage of the FTC’s corresponding law enforcement investigations and will also lead to “selective enforcement” issues.

Another impact of the case is that the penalties for individual cases will increase. Not long ago, the FTC also made an unprecedented large fine for TikTok (US version of the vibrato), amounting to 5.7 million US dollars.

As for Facebook, $5 billion is not much, but this is the biggest ticket in the history of the FTC for personal information protection. Compared to the past, this amount has significantly raised the penalty “ceiling”. Considering that American public opinion is paying more and more attention to privacy, it is expected that the FTC will likely impose a heavier penalty on the case in the future.

After the case, the FTC’s intervention in the internal organizational structure of the company will be strengthened. In this penalty, the FTC asked Facebook to set up an independent Privacy Committee, Privacy Compliance Officer and External Privacy Ombudsman. The three have the following common characteristics: First, with a certain degree of independence, the enterprise controller cannot directly influence the appointment and removal of the latter two.

Secondly, new positions have great authority. They have the right to read all the “materials related to privacy decisions”. The FTC also explicitly requires them not to rely solely on the rhetoric of the company personnel, but to understand the actual situation; Those in these positions can report directly to the FTC.

Inspiration for China’s personal information protection

The Facebook case occurred on the other side of the ocean, but it also has implications for China.

First, further understand the importance of personal information protection and accelerate the promotion of relevant legislation. The case fully demonstrates that the collection and use of a wide range of personal information, in addition to affecting the individual rights of citizens, will also affect national security and public interests. In addition, massive personal information encounters security problems, and may also lead to large-scale domestic and foreign public opinion rebound.

At present, China’s “Personal Information Protection Law” and “Data Security Law” and other relevant legislation have been included in the legislative plan of the 13th National People’s Congress Standing Committee, but no formal draft law has been formed yet. Considering that there is still a three-reading legislative process, the legislative rhythm needs to be accelerated compared to the urgent needs of practice.

Second, further strengthen the implementation of existing laws and regulations and strengthen law enforcement in the field of personal information protection. The Facebook case fully states that if law enforcement and punishment are lacking, relying on “flexible” supervision and corporate self-discipline will not achieve the purpose of protecting personal information. Although the laws such as the Cyber ​​Security Law and the Consumer Rights Protection Act have initially established a legal system framework for personal information protection, China still lacks influential administrative law enforcement forces such as the FTC, which abuses personal information for companies. Insufficient deterrence.

The relevant law enforcement agencies should strengthen the following three aspects: First, safeguard law enforcement resources, and build a personal information with a certain scale and professionalism.The second is to strengthen the sense of responsibility, to be lawful, to act positively, to play a deterrent role; and third, to abuse personal information with a wide range of influences, causing higher risks, or other serious circumstances, in the law Severe penalties are imposed within the scope of the law to strengthen the deterrent effect.

Thirdly, explore innovative organizational forms and introduce external forces to monitor personal information protection. The collection and use of personal information is not only about the interests of the company, but also about the public interest and individual rights. Therefore, other major stakeholders should have appropriate voices in making important decisions about personal information. In the United States, the establishment of such committees has increasingly become a common regulatory tool for the FTC.

In some European countries such as Germany, the introduction of employee representatives and other related parties supervises the protection of personal information. China can also learn from experience: on the basis of existing designs such as “network security owners”, further explore innovative organizational forms to facilitate public interest representatives and individual rights representatives to supervise corporate personal information protection.

Fourth, further improve the awareness of Chinese enterprises’ personal information protection compliance, and prevent the United States from interfering with Chinese enterprises in the name of protecting personal information. In reality, the risk of “selective enforcement” of the FTC is increasing, and the degree of intervention in penalties on business operations is deepening. In addition, the US-related entities of China’s headlines and other companies (the above-mentioned TikTok case) have precedents for severe penalties for inadequate protection of personal information.

Therefore, once Chinese companies encounter Facebook-like penalties, they will suffer huge losses. The United States may require a variety of “independent” and high-privilege positions, which may interfere with the normal operation of the company and even bring national security risks. Under the new situation of Sino-US trade, we should further improve the level of personal information protection and awareness of relevant Chinese enterprises, avoid becoming the target of US law enforcement agencies, and make good response plans.

Corresponding to the third point mentioned above: The improvement of the corresponding organizational system will help to cope with similar demands that the US may propose in the future, and keep the initiative in the hands of the Chinese.

The fifth is to further strengthen the international comparative research on personal information protection, seize the opportunity of the construction of personal information protection legal system, and enhance China’s right to speak in international cyberspace governance. Personal information protection is one of the core issues in the international governance of cyberspace. Compared with Western countries, China started late.

But in contrast to the current US, due to the tradition of liberalism and the interests of all parties in practice, the progress of legislation has been faintly lagging behind, and the weak law enforcement has also caused dissatisfaction. As a result of this change, China has the potential and conditions to take the lead in the construction of personal information protection rule of law.

Therefore, it is necessary to further organize the power, systematically carry out comparative research on the status of international personal information protection, and build a personal information protection system with both Chinese characteristics and international leadership while drawing lessons from the US and Western countries.

(Author Zhou Hui is a researcher at the Cultural and Legal Research Center of the Chinese Academy of Social Sciences, and Zhu Yue is an assistant researcher at the Cultural and Legal Research Center of the Chinese Academy of Social Sciences; Editor: Zhu Xi)