By Nimesha Perera
It is 2020 and the new California Consumer Privacy Act has gone into effect. John Stephens, California Consumer Privacy Act, American Bar Association (Fe. 14, 2019), https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_9/. Facebook is publicly dealing with its groundbreaking $5 billion fine from the Federal Trade Commission (“FTC”) over data privacy concerns. See Brian Fung, Facebook will pay an unprecedented $5 billion penalty over privacy breaches, CNN (July 25, 2019); Michael Nunez, FTC Slaps Facebook With $5 Billion Fine, Forces New Privacy Controls, Forbes (July 24, 2019). Amazon is fiercely promoting its creatively titled facial recognition program “Amazon Rekognition” in the face of criticisms. See Kori Hale, Amazon Pitches Shady Facial Recognition Laws, Forbes (Oct. 1, 2019); Nick Wingfield, Amazon Pushes Facial Recognition to Police. Critics See Surveillance Risk., N.Y. Times (May 22, 2018). As cybersecurity begins to creep into the considerations of the average consumer, a major question should be at the center of the frontier of technology and human rights: Do corporations care about protecting data privacy rights?
According to the FTC, the settlement with Facebook in July 2019 was the “largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.” FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook, FTC (July 24, 2019). The settlement was a result of a year-long investigation by the FTC following the Cambridge Analytica scandal as well as multiple violations of the 2012 settlement order by the FTC, and “deceptive practices” Id. In addition to the $5 billion fine, Facebook agreed to follow certain privacy practices over the next 20 years. Id.
Some examples of the new privacy requirements:
designating compliance officers who will be responsible for Facebook’s privacy program
the use of an independent third-party assessor to analyze the privacy program
prohibition from using telephone numbers obtained to enable a security feature for advertising
must provide clear and conspicuous notice of its use of facial recognition technology. Id.
In addition to the above examples, the FTC has compelled Facebook to create an independent privacy committee of Facebook board directors, who will be independent and appointed by an independent nominating committee. Id. The creation of this committee “remov[es] unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy.” Id.The establishment of this committee is a major step in the way of creating the corporate oversight needed in cybersecurity and data privacy for entities like Facebook.
Facebook has two standing board committees: an Audit & Risk Oversight Committee and a Compensation, Nominating & Governance Committee. Corporate Governance Guidelines, Facebook, Inc. (Oct. 30, 2019). While one of the responsibilities and duties of the Audit & Risk Oversight Committee includes risk oversight relating to privacy and data use, this area falls under the umbrella of one of the commission’s duties, along with four other risk areas of review. Audit & Risk Oversight Committee Charter, Facebook, Inc. (June 14, 2018). Facebook is not part of the minority. According to a study, only 10% of companies “assigned oversight of cybersecurity, digital transformation and information technology to an additional committee.” Steve W. Klemash, Kellie C. Huennekens, & Jamie Smith, A Fresh Look at Board Committees, Harv. L. Sch. Forum on Corp. Governance(July 10, 2018).
In addition to board oversight, shareholder proposals and lawsuits have been another tool in shaping corporate governance. See generally Kosmas Papadopoulos, The Long View: The Role of Shareholder Proposals in Shaping U.S. Corporate Governance (2000-2018), Harv. L. Sch. Forum on Corp. Governance (Feb. 6, 2019). After Marriott’s data breach, which compromised the personal information of up to 500 million guests, shareholders immediately filed lawsuits. Irina Ivanova, Marriott breach sparks multibillion-dollar suits, with more to come, CBS News (Dec. 4, 2018). Lawsuits by shareholders are one option to deal with data security issues, but are only an option after an avoidable and unfortunate violation by a corporation. Shareholder proposals are high-level strategies to address risk and ensure prevention before a major event like a data breach, or a major violation of data privacy rights can occur under a corporation’s watch.
Amazon received two proposals by shareholders this year on facial recognition issues with the controversial Amazon Rekognition. Matt Day, Amazon shareholders vote down facial recognition, climate change proposals, L.A.Times (May 22, 2019); Emily Birnbaum, Amazon shareholders vote down limits on facial recognition software, The Hill (May 22, 2019).
One asked the company to prohibit the sale of facial recognition technology to the government. Natasha Singer, Amazon Faces Investor Pressure Over Facial Recognition, N.Y. Times (May 20, 2019). Another requested an independent report examining how the software “may threaten civil, human and privacy rights, and the company’s finances.” Id. Similarly, a group of nun shareholders filed a proposal for concrete action against the use of controversial, racist facial recognition technology by ICE, the FBI and police departments around the nation. Alex Pasternack, Nuns and other Amazon investors pressure Jeff Bezos over face recognition, Fast Company (Jan. 17 2019) (“The Sisters of St. Joseph of Brentwood filed the resolution as shareholders and members of the Tri-State Coalition for Responsible Investment, which represents a group of investors with over $1.32 billion…”).
While these respective proposals did not pass, there is still hope for this methodology. Companies begin paying close attention to shareholder resolutions that achieve 30% support, and after “a proposal reaches 50%, and investors feel that the company hasn’t sufficiently responded, they tend to consider voting directors out.” Lydia DePillis, Julia Horowitz & Danielle Wiener-Bronner, Corporate America is fighting back against shareholder activism — here’s how, WRAL TechWire (Nov. 8, 2019).
In an extensive study, CEOs, board directors, and institutional investors ranked CEOs’ top 5 global challenges to business growth and the global economy, with a non-surprising number 1: national and corporate cybersecurity. John de Yonge, For CEOs, are the days of sidelining global challenges numbered?, Ernst & Young (July 8, 2019). As we advance in technological achievements and the recognition of data rights, corporations and stakeholders alike have a growing interest in and an urgent need to address data privacy and cybersecurity risks.
Bio: Nimesha Perera is a currently a 2L at Northeastern University School of Law. She received her Master of Science in Political Science from Suffolk University and her Bachelor of Arts in International Relations from SUNY Geneseo. Originally from Queens, NY, Nimesha has permanently relocated to Boston and is loving exploring her new city.