Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Zuckerberg Sued Over Cambridge Analytica Scandal
Lawsuit by DC AG Alleges Facebook CEO Didn't Protect Users SufficientlyMark Zuckerberg, CEO of Facebook parent Meta, is being sued for failing to protect users of the social media platform during the Cambridge Analytica privacy scandal.
See Also: Using the Netskope HIPAA Mapping Guide
The lawsuit, initiated by Washington, D.C. Attorney General Karl A. Racine on behalf of the District of Columbia, alleges that Facebook misled users with claims of privacy and data protection.
This action follows the U.S. Office of the Attorney General's review of hundreds of thousands of pages of documents produced during litigation of an ongoing lawsuit filed in December 2018 against Facebook.
Cambridge Analytica, the now-defunct political consultancy that worked for Donald Trump's presidential campaign, received personal data for 87 million Facebook profiles, in violation of the company's policies. The lawsuit, filed in the Washington, D.C. Superior Court, alleges that despite knowing of the situation, Facebook did not inform users until two years later.
"The evidence shows Mr. Zuckerberg was personally involved in Facebook's failure to protect the privacy and data of its users leading directly to the Cambridge Analytica incident. This unprecedented security breach exposed tens of millions of Americans' personal information, and Mr. Zuckerberg's policies enabled a multi-year effort to mislead users about the extent of Facebook's wrongful conduct," Racine says in a statement. "This lawsuit is not only warranted, but necessary, and sends a message that corporate leaders, including CEOs, will be held accountable for their actions."
Louise Brooks, senior General Data Protection Regulation consultant at DQM GRC, a specialist data protection and privacy consultancy, says that the news of this lawsuit is not surprising.
"Considering Mark Zuckerberg is the CEO of the world's largest social media platform and combine that position with his majority shareholding and level of control - the influence Mr. Zuckerberg has is considerable. He must accept responsibility for the decisions made at Meta, particularly those concerning the collection, use and sharing of personal data. From a competition perspective, I would not be surprised if lawsuits like this will be used as a vehicle to curtail the growth and influence the platform has," Brooks says.
A Facebook official was not immediately available to comment on the lawsuit.
OAG's Investigation
Racine says that the Office of the Attorney General conducted a wide range of depositions with Facebook's directors, former employees and whistleblowers and examined hours of Zuckerberg's public statements, including sworn testimony before the U.S. Senate and other law enforcement agencies.
The lawsuit alleges that the evidence found confirmed Zuckerberg's direct oversight of major decisions that led to the collection and manipulation of user data and Facebook’s misrepresentation to users about the security of their personal information.
"In the run-up to the 2016 presidential election, Facebook, under Mr. Zuckerberg's control, allowed a third-party to launch an app claiming to be a 'personality quiz,' which also collected data from the app users' Facebook friends without their knowledge or consent. The app's developer then sold this data to Cambridge Analytica, which used it to help presidential campaigns target voters based on their personal traits," Racine says in his statement.
He says that the investigation, led by the OAG, found that this abuse was among the many examples of Facebook's failure to adhere to its promises to protect consumers' data, violating the District of Columbia's Consumer Protection Procedures Act, which prohibits unfair and deceptive trade practices.
Under the CPPA, individuals are liable for a company's actions if these individuals knew about, controlled, or failed to stop the company's actions, Racine says.
Allegations Against Zuckerberg
The lawsuit filed by Racine says that, as Facebook's co-founder, chief executive officer and a member of Facebook's board of directors, overseeing Facebook’s operations and controlling approximately 60% of the voting shares since 2012, Zuckerberg was "responsible for and had the clear ability to control Facebook’s day-to-day operations."
It alleges that Zuckerberg's vision of opening up the Facebook platform to third-party companies allowed Cambridge Analytica to abuse its access and take massive amounts of user data out of Facebook through a side door that was an open secret to developers and Facebook alike. Racine says that Zuckerberg was involved in "envisioning and administering this new regime. Meanwhile, Facebook represented to users that their data was safe."
"Now that Facebook has grown larger than any country on earth, with revenues exceeding the economies of many nations," Racine says, "Mr. Zuckerberg’s decision-making has global implications - including impacting the data and privacy of hundreds of thousands of users in the District."
Other Lawsuits
Racine is known for filing a series of lawsuits against tech giants such as Facebook, Amazon and Google.
He filed an antitrust lawsuit against Amazon to stop anti-competitive and unlawful behavior that controls prices across the entire online market. The lawsuit was dismissed in March.
Racine also sued Google for deceiving and manipulating consumers to gain access to their location data, including making it nearly impossible for users to stop their location from being tracked. The lawsuit is ongoing.
Racine introduced legislation before the Washington, D.C. Council to modernize the district's data breach law, strengthen protections for residents' personal information and prevent identity theft. The legislation passed in 2020.
Cambridge Analytica Fallout
In 2019, Facebook agreed to pay 500,000 pounds - $643,000 - to settle claims that it had violated U.K. privacy laws by allowing Cambridge Analytica to access the personal data of 87 million users.
In July 2019, the U.S. Federal Trade Commission and the Department of Justice announced a record-setting $5 billion fine as part of a settlement agreement with Facebook concerning the misuse of users' personal data and information. In addition, Zuckerberg agreed to implement new privacy and data protection measures for users of its social media platforms (see: It's Official: FTC Fines Facebook $5 Billion).
Around the same time, Italy's data protection regulator slapped Facebook with a $1 million fine.
In its settlement with the ICO, Facebook executives acknowledged that the company should have done more to investigate how Cambridge Analytica was using its customers' data.