Facebook Inc
Harvesting, Using & Selling of User Private Information | Cambridge Analytica Scandal
1-Introduction to the Issue and Stakeholder Analysis
Facebook Inc is currently in the middle of the chaos built by the revelation of the massive data scandal involving the London-based consultancy firm Cambridge Analytica. The Social media giant was alleged for harvesting, using and selling of the personal data of its users to third parties (Cambridge Academic created psychographic profiles of 87 million users which were then sold to Cambridge Analytica) [1]. The data are alleged to be used in influencing the outcome of the US 2016 presidential election and in the Brexit vote. The issue, if not resolved, has the gradient of influencing a wider span of stakeholders as the event of Cambridge Analytica has shown recently [2].
The investors and shareholders of the company are the key stakeholders who are surely getting a major part of the influence of this issue. The resultant unpredictability of the stock of Facebook and its prospects has shown how immensely such events can influence. Facebook Inc has about 73.55% of its shares held by Institutions. These investors have become highly participative in raising their concerns over the current workings of Facebook by putting forward shareholder proposals. Some of the major institutional holders are.
- Vanguard Group Inc
- Capital World Investors
- Blackrock Inc
- Capital Research Global Investors
- FMR LLC
- State Street Corporation
- Fidelity Contra fund Inc [3]
Other than these, the advisors of the investors of Facebook Inc are key stakeholders as well. These advisory companies tend to act on their client behaves for raising concerns over the practices of the subject company.
Trillium Asset Management filed a shareholder proposal to Facebook Inc as requested by its client The Park Foundation Inc which holds about $2000 of Facebook Inc common stock. The proposal has requested the company to strengthen its risk governance by creating a separate risk committee with experts in ethics, journalism, and psychology [4].
The regulators of the Data Privacy and Security like the European Union, and Governments of US, UK, and the United Nations have an obligation to not only foresee this issue but also provide the necessary support regarding regulations and the implementation of the regulations on private and non-private sectors of the industries.
The European Union has implemented its new reform for data protection in the name of the General Data Protection Regulation [5]. The seriousness of this issue cannot be ignored as the repercussions entail not only to the stakeholders, but to the Governments, their policies, consumers of Facebook, and overall, to all of the business community as depicted by the incident of Cambridge Analytica.
2-Applicable Norms
Shareholder resolution: Shareholders request Facebook to comply with the regulations ascertained by the European Union General Data Protection Regulation and to also improve its corporate governance by creating a separate risk committee with experts in ethics and psychology. The company is advised to comply with the requirements of consent for its users and disclose all information regarding the harvesting, using, and selling of the private information of its users in its proxy statement.
Privacy and Data Protection are two connected commonly recognized rights which are also an important part of sustainable democracy. As per the European Union, human dignity is one of the absolute fundamental rights. In the US, privacy has been considered as an element of liberty, however distinction exist in Europe and other parts of the world in its definition, it still is, considered a fundamental right in the EU as per the Article 12 of the Universal Declaration of Human Rights, Article 8 of the European Convention of Human Rights, and Article 7 of the European Charter of Fundamental Rights.
Furthermore, article 16 of the Treaty on the Functioning of the European Union also obliges the EU to provide data protection laws for personal data processing. The General Data Protection regulation is the new legal framework which has been put forward by EU enacted throughout its member states from May 2018[6].
The UN Guiding principle on Business and Human Rights for addressing the issue requires its states to protect against any abuses by the business within their jurisdictions. It requires the companies to act responsibly regarding refraining from interfering with the right of privacy of individuals and companies [7].
Many other similar companies like Facebook Inc are also using the same strategy as Facebook Inc for its user data. Google, Yahoo, and other companies are also operating on a similar business model. These companies have not been charged with similar scandals; however, they too have been the target of criticism on user data protection breach. The companies, along with Facebook Inc are needed to implement regulations which would be compliant with the EU and UN guiding principles of fundamental data privacy and protection. If not considered on time, these companies including Facebook can be threatened to be completely banned from operations with the occurrence of any such scandal again.
3-Best Practice of This Issue
The best practice in this issue is regulated and implemented by the European Union General Data Protection Regulation. The document for European Union GDPR refers specifically to the Facebook revelation of Cambridge Analytica for its right approach. The improvements brought about after the implementation of GDPR include.
- Use of clear, straightforward language for privacy policies, no long and complicated terms, and conditions
- Users are needed to provide affirmative consent to using their data for business. Silence is not considered consent.
- Transfer of data of user outside the EU is going to be informed to the user
- The businesses that use an algorithm for making decisions about the user based on its data are now required to inform the user of the automated decision and provide an opportunity for consent.
- The aim of collection and processing of data has to be well defined and cannot be used without notice for any other purpose.
- Data breach is to be notified to the user without delay
- Transfer of data from one platform to another is to be made possible
- The user has access to all user data
- Clearly defined right to be forgotten for deletion of past data with clear safeguards
- Imposition of fines on businesses up to 20 million EUR or 4% of the turnover of the company (whichever is higher). The final decision power resides with the EU Data Protection Board [8].
4-Draft Shareholder Resolution
Shareholder resolution: Shareholders request Facebook to comply with the regulations ascertained by the European Union General Data Protection Regulation and to also improve its corporate governance by creating a separate risk committee with experts in ethics and psychology. The management is advised to discuss the merits of the establishment of the Risk Oversight Board Committee within a reasonable time, at a reasonable cost while omitting proprietary and confidential information. The company is further advised to comply with the requirements of consent for its users and disclose all information regarding the harvesting, using, and selling of the private information of its users in its proxy statement.
The resolution regarding the Risk Oversight board has already been put forward once, which is again advised in light of the recent events of the Cambridge Analytica scandal. It should be considered as a reinforcement of the past proposal and addition to it regarding compliance with the EU General Data Protection Regulation and disclosure reporting in the Proxy Statement.
The investor community is expected to support this proposal to safeguard not only their long-term value, but also aid in the assurance of sustainable democratic environment. The UK is not part of the European Union and is not required to oblige with the European Union GDPR. However, as this is the best practice until now, it should be adopted by Facebook Inc. The consideration of the proposal and implementation in this regard would boost investor confidence of Facebook and will also provide Facebook with the necessary competitive edge to survive this situation. The new legislative framework has been openly opposed by Facebook management regarding the European corporation of DPCs, privacy by default, right to be forgotten, the requirement for consent, easier data transfer, breach notifications, fines on the breach, and reduced data processing decisions. Facebook has even published a lobbying document regarding showcasing its opposition against the legislation. However, it is needed that Facebook reconsiders its position in light of the events of Cambridge Analytica and the declining support of its investors [9].
5-Supporting Statement
With more than 2 billion users, Facebook Inc is currently facing slim chances of surpassing the global controversy about the reported Russian interference in the United States 2016 Election. Shareholders are concerned over the failure of Facebook Inc to proactively address the issue regarding significant legal, regulatory, and reputational risk to the shareholder value.
We believe that the company is held responsible for demonstrating how it harvests, manages and sells data to prevent any violations of users’ rights and its terms of service. Facebook data protection and privacy policies tend to be reactive, and thus they act as inadequate. Facebook constantly rejected the recent allegations of illegal use of the Facebook users personal data by the third party until the Congressional investigation forced its CEO to agree to have vulnerabilities in its process which could have been exploited for political gains and interference.
The EU GDPR is the most fundamental regulatory change which has occurred in the last twenty years. The new GDPR has replaced the older Data Protection Directive 95/46/EC. Compliance with the GDPR would allow Facebook Inc to;
- Protect and empower its users regarding their content privacy
- Reshape the way it manages data redefining the roles of its CIO to CMOs.
- Providing users of Facebook with more control over their data and gaining competitive advantage in the market and shareholder value preservation [10]
The compliance would need Facebook Inc to cater to the challenges that it has been facing after the Cambridge Analytica Scandal. In the past, Facebook has opposed this legislation aggressively. The opposition is based on the perception of complicating the process for its users and making the users consequently leave their site eventually influencing their revenues. The company is concerned about their revenues [11]. Even though revenue preservation represents an important element for shareholder value, it could not be made at the cost of fundamental rights. By not complying with these regulations, Facebook is admittedly consenting for breach of data protection and data privacy rights as per the Article 12 of the Universal Declaration of Human Rights, Article 8 of the European Convention of Human Rights, Article 7 of the European Charter of Fundamental Rights and as per the article 16 of the Treaty on the Functioning of the European Union.
Facebook Inc is thus advised to implement the following clauses.
- Use of clear, straightforward language for privacy policies of the user content
- Provide affirmative consent to the users for using their data for business.
- Inform any transfer of data of user outside the EU to the user
- In case of need of use of the algorithm for making decisions about the user as based on its content, Facebook should first inform the user of the automated decision and provide an opportunity for consent.
- For the collection and processing of data, the purpose has to be well defined, and for further use of the same data for another purpose, Facebook should inform the user again.
- Data breach is to be notified to the user without any delay within 72 hours
- Transfer of data from one social platform to another social platform is to be facilitated
- The user should be provided access to all user data, and it should be easily retrievable and downloadable
- The process for the deletion of past data with clear safeguards
- Acceptance of fines and the final decision power by the EU Data Protection Board [12].
The lack of due diligence and the lack of seriousness shown by Facebook Inc regarding giving third parties access to the personal data of its users has given rise to the scandal of Cambridge Analytica. It has been seen that the risk committee strives for an enterprise-wide and integrated approach to management and identification of risks, improving the risk reporting quality and its monitoring for the board and management [13]. The management is normally given broad risk management responsibilities which can be overseen by the risk committee. The rapid growth of Facebook Inc and its technological advances has made the understanding of its impact quite challenging, and this poses material financial risks for the company and its investors. Facebook may handle the situation as it did before in a “whack-a-mole” manner. However, this truly shows the lack of a strategic approach of the board towards risk management. The company is facing several lawsuits regarding the breach of privacy of its users. The unintended consequences are emerging on a daily basis and are indicative of the need for strong risk oversight strategy for tackling the challenges.
Facebook has opposed the last proposal for the commencement of Risk Oversight Committee of the board. Facebook had, on the contrary, preferred to discuss the major financial and enterprise risks and exposures with the management and has assured its consideration in the monitoring and control mechanism of risk [14]. However, the mentioned steps are not enough to handle the challenges faced by Facebook at this time.
All changes and reporting disclosures should be reported in the proxy statement to inform and educate the shareholders and regulatory bodies for compliance with the EU GDPR regulations.
Given the nature of the challenges, the effectiveness of the Board Risk Oversight Committee, the implementation and compliance with the General Data Protection Regulation with European Union, and the importance of the disclosure of its content protection policies in proxy statement are surely going to preserve shareholder value and establish a strong reputation of Facebook strategy as a proactive approach. Therefore, it is advised to the shareholders of Facebook Inc to vote FOR the proposal as its consideration and implementation would ensure the safeguarding of the shareholder values and interests.
Bibliography
[1] Roberts, Jedd John. “Facebook Has Been Hit by Dozens of Data Lawsuits. And This Could Be Just the Beginning.” Fortune, April 30, 2018. Accessed November 23, 2018. http://fortune.com/2018/04/30/facebook-data-lawsuits/.
[2] Weisbaum, Herb. “Trust in Facebook has dropped by 66 percent since the Cambridge Analytica scandal.” NBC News, April 19, 2018. Accessed November 23, 2018. https://www.nbcnews.com/business/consumer/trust-facebook-has-dropped-51-percent-cambridge-analytica-scandal-n867011.
[3] Yahoo Finance. “Facebook, Inc. (FB).” Yahoo Finance, November 23, 2018. Accessed November 23, 2018.https://finance.yahoo.com/quote/FB/holders/.
[4] Kozlowska, Hanna. “Facebook investors say they can help fix the company.” Quartz, January 8, 2018. Accessed November 23, 2018. https://qz.com/1171602/facebook-shareholders-filed-a-proposal-that-would-establish-a-risk-oversight-committee/.
[5] European Data Protection Supervisor. “Data Protection.” European Data Provider Supervisor, May 2018. Accessed November 23, 2018. https://edps.europa.eu/data-protection/data-protection_en.
[6] European Data Protection Supervisor. “Data Protection.” European Data Provider Supervisor, May 2018. Accessed November 23, 2018. https://edps.europa.eu/data-protection/data-protection_en.
[7] Brown, Deborah. “New UN resolution on the right to privacy in the digital age: crucial and timely.” Policy Review, November 22, 2016. Accessed November 23, 2018. https://policyreview.info/articles/news/new-un-resolution-right-privacy-digital-age-crucial-and-timely/436.
[8] European Commission. “A new era for data protection in the EU | What changes after May 2018.” European Commision, May 2018. Accessed November 23, 2018. https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-changes_en.pdf.
[9] Facebook Inc. “Facebook’s views on the proposed data protection regulation.” Europe-V-Facebook. Organization, March 30, 2012. Accessed November 23, 2018. http://www.europe-v-facebook.org/FOI_Facebook_Lobbying.pdf.
[10] European Union. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.” Official Journal of the European Union 119, no. 2016 (2016): 1-88.
[11] Facebook Inc. “Facebook’s views on the proposed data protection regulation.” Europe-V-Facebook. Organization, March 30, 2012. Accessed November 23, 2018. http://www.europe-v-facebook.org/FOI_Facebook_Lobbying.pdf.
[12] European Commission. “A new era for data protection in the EU | What changes after May 2018.” European Commision, May 2018. Accessed November 23, 2018. https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-changes_en.pdf.
[13] O’Hanley, Ronald P. “Long-Term Value Begins at the Board.” Harvard Law School, March 20, 2017. Accessed November 23, 2018. https://corpgov.law.harvard.edu/.
[14] Trillium Asset Management. “Facebook – Risk Oversight Committee (2018).” Trillium Asset Management, 2018. Accessed November 23, 2018. http://www.trilliuminvest.com/shareholder-proposal/facebook-risk-oversight-committee-2018/