Penalty by US government reflects scale of breach, first reported by the Observer

This article is more than 1 year old

This article is more than 1 year old

Facebook will pay a record $5bn (£4bn) penalty in the US for “deceiving” users about their ability to keep personal information private, after a year-long investigation into the Cambridge Analytica data breach.

The Federal Trade Commission (FTC), the US consumer regulator, also announced a lawsuit against Cambridge Analytica and proposed settlements with the data analysis firm’s former chief executive Alexander Nix and its app developer Aleksandr Kogan.

The $5bn fine for Facebook dwarfs the previous record for the largest fine handed down by the FTC for violation of consumers’ privacy, which was a $275m penalty for consumer credit agency Equifax.

It is also one of the largest regulatory penalties ever imposed by the US government on any company, reflecting the scale of the breach, first reported by the Observer.

The fine did not, however, appease all of the FTC’s members. The two Democrats on the five member commission called the fine insufficient and said it would do little to change the company’s behavior.

“The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations,” commissioner Rohit Chopra said in a statement. “Nor does it include any restrictions on the company’s mass surveillance or advertising tactics.”

“Rather than accepting this settlement, I believe we should have initiated litigation against Facebook and its CEO Mark Zuckerberg,” said commissioner Rebecca Kelly Slaughter.

The social network will submit to new restrictions on how it operates and a modified corporate structure to ensure executives are more accountable for users’ privacy.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” the FTC chairman, Joe Simons, said.

“The magnitude of the $5bn penalty and sweeping conduct relief are unprecedented in the history of the FTC.”

Simons said changes to Facebook’s corporate structure would make executives more accountable for protecting the privacy of the 185 million people in the US and Canada who use Facebook each day.

He said this was intended to “change Facebook’s entire privacy culture to decrease the likelihood of continued violations”.

In a post on his own Facebook page, the social network site’s founder and chief executive, Mark Zuckerberg, said the company had transformed the way it handles users’ information.

“We’ve agreed to pay a historic fine, but even more important, we’re going to make some major structural changes to how we build products and run this company,” he wrote.

“We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.

“Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”

Separately the Securities and Exchange Commission (SEC) announced on Wednesday that it had reached a settlement with Facebook over claims that it had misled investors about the risk of misuse of users’ data. The settlement includes a $100m fine.

According to the SEC, the US’s top financial watchdog, Facebook discovered the misuse of its users’ information by Cambridge Analytica in 2015, but did not correct its existing disclosure for more than two years.

“Instead, Facebook continued to tell investors that ‘our users’ data may be improperly accessed, used or disclosed,” according to the SEC complaint. “Facebook reinforced this false impression when it told news reporters who were investigating Cambridge Analytica’s use of Facebook user data that it had discovered no evidence of wrongdoing. When the company finally did disclose the incident in March 2018, its stock price dropped.”

“As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused,” said Stephanie Avakian, co-director of the SEC’s enforcement division.

Facebook neither admitted nor denied the SEC claims.