Will Regulators Catch Up on Privacy Protections?

For many companies, a $550 million settlement in a class action lawsuit would strike a crippling blow. Facebook isn’t one of them. The social networking giant revealed in a 10-K filing last month that it agreed to pay more than a half a billion dollars to end a protracted legal battle stemming from its use of facial recognition technology.

It appears to be the largest settlement in history related to a privacy issue. Yet, given Facebook’s market cap of nearly $600 billion, cutting that check shouldn’t pose a problem for chairman Mark Zuckerberg.

Such is the dilemma for civil libertarians who fear Big Tech’s ongoing creep into our private lives. What looks on its face like a historic litigation triumph has dubious deterrent effect on mammoth companies such as Facebook, Google and Amazon. Even smaller outfits like Clearview AI – which is in the news for providing law enforcement agencies with facial recognition technology to aid in policing – arguably find it better to seek forgiveness later than to ask permission first.

Ironically or not, privacy advocates’ best hope for putting guardrails around facial recognition may be further government intervention. A handful of states have enacted bans on the technology. They include Illinois, where the lawsuit against Facebook was filed based on the state’s Biometric Information Privacy Act. Meanwhile, a bipartisan federal bill to curtail the use of facial recognition technology is currently floating around in the legislative morass of Capitol Hill.

If federal lawmakers do decide to get serious about updating privacy laws to match changes in technology, they may want to follow Europe’s lead. The General Data Protection Regulation, better known as the GDPR, went into effect across the European Union in 2018. It established new rules dictating how companies could use consumers’ data in the EU and granted individuals more control over their information.

So far, the EU’s privacy laws have garnered widespread acclaim, with other countries looking to enact GDPR copies of their own. GDPR’s legion of fans even include high-profile tech industry executives like Zuckerberg and Apple CEO Tim Cook. (Big Tech critics may view that as a strike against a GDPR-like solution for the U.S.)

After being in place for nearly two years, GDPR appears to be catching up with the private sector. For example, it came to light earlier this month that EU authorities are investigating potential violations at Google involving user location data. Overall, one analysis found that data privacy violations have resulted in 190 fines against companies operating in Europe since the law took effect. Importantly, companies are preparing for regulators to step up enforcement activities in the near future.

Is GDPR foolproof? Of course not. It may be the template that lawmakers use in the U.S., however. And it may even be more effective than headline-grabbing settlement figures.