It has been more than three years since Facebook’s blockbuster $19 billion acquisition of messaging application WhatsApp, but the deal is still making headlines. Unfortunately, the latest news is not good for Facebook – and potentially other social media companies – as the company has been fined $122 million for apparently changing its mind.
The fine was levied in the European Union (EU), and stems from a representation that Facebook made when seeking regulatory approval for the deal. At the time, Facebook represented that it would not be combining WhatsApp’s user data with data from the company’s ubiquitous social media network. However, in August 2016, Facebook publicly announced that it would begin using WhatsApp user data, marking “the first time the messaging service [WhatsApp] has connected users’ accounts to the social network to share data,” and allowing Facebook “to coordinate information across its collection of businesses.”
The record-setting fine followed the publication of findings by Dutch and French regulators that Facebook had violated their countries’ data protection rules. The violations included failing to provide users with adequate control over the use of their personal data, collecting both users’ and non-users’ information on third-party websites without their knowledge, and failing to adequately address the distribution of hate speech and misinformation. The French Commission nationale de l’informatique et des Libertés (CNIL) imposed a fine of $164,000 and the Netherlands did not impose a financial penalty; however, the New York Times reports that German authorities are considering “hefty fines” against the company on similar grounds.
According to CNN, Apple, Amazon, and Google are also facing scrutiny over their data protection practices in the EU.
Notably, Facebook’s data collection and sharing practices have not garnered similar attention in the US. Many users are likely to find this surprising – especially as the company continues to make enhanced commercialized use of their personal information (for example, by targeting advertisements based upon users’ posts and feed scrolling). But, the reality is that the United States’ data privacy laws are very different from those in the EU and other jurisdictions abroad. And while companies that do business online may face limited legal hurdles domestically (in certain respects), they must be extremely careful to avoid running afoul of the regimes that apply to their platforms and services overseas.
Data Privacy Laws: US vs. EU
Different Approaches to Data Privacy Protection and Enforcement
The US and the EU have taken fundamentally different approaches to regulating the use of an individual’s personal information. In the EU, data protection is considered a “fundamental right,” and there is broad legislation that “aims to protect the liberties . . . of individuals[,] and in particular their right to privacy with respect to the processing of personal data about them.” As a result, all companies that collect personal information of residents of the 28 EU member states must adhere to strict regulations, and they are subject to a variety of disclosure requirements and other forms of oversight (which is what formed the basis for the $122 million fine against Facebook).
In the US, there is no comparable form of data privacy regulation. Instead, laws apply largely by industry and by population. For example, perhaps the best-known US data privacy law, the Health Insurance Portability and Accountability Act (HIPAA), applies to companies that collect and store an individual’s medical information (which is interpreted very broadly), while laws such as the Children’s Online Privacy Protection Act (COPPA) apply to companies that provide online services directed to children under the age of 13. Other federal laws that address the subject of data privacy in the US include:
- The Electronic Communications Privacy Act (ECPA) – The ECPA prohibits the interception of personally-identifying information (PII) and other forms of data for commercial and other purposes.
- The Fair Credit Reporting Act (FCRA) – The FCRA imposes data protection requirements for companies that create, provide, and use credit histories, including reporting agencies, lenders, insurers, and other companies that have access to customer credit information.
- The Federal Trade Commission Act (FTC Act) – The FTC Act prohibits “unfair and deceptive trade practices,” and this prohibition has been used to pursue regulatory action against companies that mislead consumers about their collection of personal data.
- The Financial Services Modernization Act (Gramm-Leach-Bliley Act) – The Gramm-Leach-Bliley Act applies to the collection of consumers’ financial information by banks, lenders, other financial institutions, and other companies that provide financial services.
In addition to federal legislation, in the US companies must address the requirements of state laws as well. Nearly all states have enacted some form of data privacy legislation, and these laws can apply to companies that provide internet-based services on a nationwide basis even if their operations housed in a single office location. Some states, such as California and Massachusetts, are leading the way with more-comprehensive data privacy requirements, while the vast majority of states have “breach notification” laws which require companies to have (and follow) procedures for informing consumers when their PII has been (or even may have been) compromised.
Coming to Europe in 2018: The GDPR
Maintaining the union’s existing overarching and harmonized approach, the EU is preparing for the implementation of a new data privacy regime. The General Data Protection Regulation (GDPR) is set to take effect on May 25, 2018. The GDPR will replace the EU’s current regulatory structure, and will continue to apply to companies that both store (“processors”) and use (“controllers”) individuals’ PII. You can learn more about the GDPR from the United Kingdom’s Information Commissioner’s Office (ICO).
Data Privacy Compliance: What is a Small Business to Do?
With such broad and varied data security compliance obligations, what can small businesses do to help ensure that they meet their legal obligations? As the above summary demonstrates, the steps required will depend greatly on the geographic reach and (in the US) the nature of each small business’s products or services. For small US-based companies that exclusively serve the US market, compliance can be as simple as adopting an appropriate website privacy policy. Or, it can be as complex as implementing comprehensive internal policies, logical controls, and monitoring data security on an ongoing basis. To begin to assess your company’s needs, here are some initial considerations:
- Determine what data you have. Does your business collect information through its website? Do you offer financing? Do you have employees? The first step toward understanding your company’s data privacy obligations is to determine what data you need to protect.
- Determine which law(s) apply. Once you know the data you need to protect, then you can move on to understanding which law(s) apply. Where are your customers geographically located? Where is your website accessible? What sector or industry-specific laws apply to your business? You need to make sure you have a clear and comprehensive picture of your company’s legal obligations.
- Develop and implement an adequate data protection strategy. Finally, put together a strategy focused on meeting your company’s current data privacy obligations with an eye toward the future. The EU’s data protection laws are changing, and the laws in the US and other jurisdictions will likely be changing in the future as well. While complying with your current obligations should be your top priority, it is important to put your company in a position to effectively and efficiently transition to modified data protection standards.
- Maintain an up-to-date website privacy policy. Posting a privacy policy on your company’s website is not just a good idea; in many respects, it is a necessity. Various states have laws that impose disclosure and other requirements for companies that offer products or services within their borders via the web. These are laws that have been enacted fairly recently, and consumer privacy is an area of the law that is in a perpetual state of development. As a result, not only must companies that do business online adopt privacy policies, but they must also revisit and revise their privacy policies over time.
Speak with a Small Business Attorney at Jiah Kim & Associates
If you need help understanding your small business’s data security obligations, we encourage you to contact us for an initial consultation. You can schedule an appointment online, or call (646) 389-5065 to speak with an attorney in confidence.
This blog post is written for educational and general information purposes only, and does not constitute specific legal advice. You understand that there is no attorney-client relationship between you and the blog publisher. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.