Facebook and the Coming Wave of Litigation



By Sascha Matuszak
Reporter, SCCE|HCCA

Facebook CEO Mark Zuckerberg spent five hours answering questions from a revolving cast of senators yesterday. His testimony concerned the Cambridge Analytica data breach, which compromised the personal data of more than 80 million people. Congress is reviewing new regulations governing how tech companies manage personal data, such as the Honest Ads Act, and may even consider anti-trust action. Some senators have pointed to the fact that there is no alternative to Facebook as a sign of a monopoly; however, Facebook and Zuckerberg can influence and guide much of what comes out of these hearings, through lobbying on Capitol Hill, collaborations with politicians interested in crafting “the right regulations,” and clever answers to complex questions.

But the company has less influence over what the courts will say.

As Zuckerberg testified, the first wave of litigation hit the beach. More than a dozen legal teams filed class action lawsuits targeting Facebook, Cambridge Analytica, and other entities involved in the most recent data breach. One of them, a joint US-UK class action lawsuit filed in Delaware, where Facebook, Global Science Research Limited, SCL Group and Cambridge Analytica are all incorporated, has been brought under the US Stored Communications Act.

“US lawyers said the legislation provides for a minimum $1000 (£700) penalty for any violation found by a court,” write Owen Bowcott and Alex Hern of The Guardian. “[M]eaning that, if the case goes against Facebook, it could face damages in excess of $70bn.

This is the first suit against Facebook to include British citizens, but it is one of at least a dozen filed across the US following the data breach, including investigations by the Massachusetts attorney general and the Federal Trade Commission. The lawsuits cite not only the Stored Communications Act, but also the 2011 FTC Consent Decree that Facebook signed and allegedly failed to adhere to. Other regulations may also come into play, as the lawsuits work their way through the courts and wrangle out exactly what laws were violated by the Cambridge Analytica data breach.

Facebook and the GDPR

When asked what Zuckerberg thought of the more stringent approach of the EU’s GDPR toward data privacy and protection, he smirked and replied, “The Europeans get some things right.” Several people in the room laughed at this light jab, and the questioning moved toward a different topic. The truth is, however, that the GDPR is very much on the mind of tech executives all over the world: an AP photographer got a look at Zuckerberg’s notes, which warned, “don’t say we already do what GDPR requires.”

In “Compliance Perspectives,” SCCE’s podcast, SCCE Board member Robert Bond explains that the GDPR is global legislation, affecting any and all companies handling data on EU citizens. He goes on to say that, although class action lawsuits aren’t as common in Europe as they are in the US, the fact that many US companies have yet to establish the controls on data that the GDPR requires could change that. Non-compliance with GDPR requirements could lead to a surge in lawsuits as soon as the GDPR goes into effect. Another compliance professional, speaking anonymously from London, said it wouldn’t be surprising if “Facebook were sued the very next day.”

The joint US-UK lawsuit filed in Delaware provides a template for legal firms in Europe seeking to ensure that non-EU companies are not flouting the GDPR, and have the proper programs in place to protect the rights of EU citizens. Together, compliance with strong legislation such as the GDPR and the lawsuits and penalties that follow non-compliance, could help usher in a new era for Internet users and data analytics firms. It is not too late to make sure your company is taking the steps needed to avoid the problems Facebook and others are facing right now: take a look at our GDPR coverage, and determine what your organization needs to do in order to remain compliant.