EPIC-18-05-11-FTC-FOIA-20180511-Request

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

VIA EMAIL

May 11, 2018

Sarah Mackey

Chief FOIA Officer

Freedom of Information Act Request

Office of General Counsel

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

Dear Ms. Mackey:

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5

U.S.C. § 552, and is submitted on behalf of the Electronic Privacy Information Center (“EPIC”)

to the Federal Trade Commission (“FTC”).

EPIC seeks records related to the Irish Data Protection Commissioner’s (“DPC”)

inquiries to the FTC regarding Facebook’s compliance with the 2012 FTC Consent Order.

Documents Requested

(1) Records including emails, communications, and memoranda related to Facebook’s

compliance with the 2011 FTC Consent Decree between the agency and the Irish

Data Protection Commissioner for its 2011 Audit of Facebook Ireland Ltd. (issued on

December 21, 2011);

and

(2) Records including emails, communications, and memoranda related to Facebook’s

compliance with the 2012 FTC Consent Order between the agency and the Irish Data

Protection Commissioner for its 2012 Re-Audit of Facebook Ireland Ltd. (issued on

September 21, 2012).

Consent Order, In the Matter of Facebook, Inc., Docket No. C-4365 (Federal Trade Commission July

27, 2012), https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookdo.pdf

[hereinafter the “2012 FTC Consent Order” or “Final Order”].

Office of the Data Prot. Comm’r of Ir., Facebook Ireland Ltd: Report of Audit (2011),

https://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf [hereinafter

“2011 DPC Audit”].

Office of the Data Prot. Comm’r of Ir., Facebook Ireland Ltd: Report of Re-Audit (2012),

https://dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2012.pdf

[hereinafter “2012 DPC Audit”].

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

Background

From 2009 to 2011, EPIC and a coalition of consumer organizations pursued several

complaints with the FTC, alleging that Facebook had changed user privacy settings and disclosed

the personal data of users to third parties without the consent of users.

In response to an

extensive complaint from EPIC and other consumer privacy organizations, the FTC launched an

investigation and issued a Preliminary Order against Facebook in 2011 and then a Final Order in

2012.

In the press release accompanying the settlement, the FTC stated that Facebook “deceived

consumers by telling them they could keep their information on Facebook private, and then

repeatedly allowing it to be shared and made public.”

The 2012 FTC Consent Order bars Facebook from making any future misrepresentations

about the privacy and security of a user’s personal information, requires Facebook to obtain a

user’s express consent before enacting changes its data disclosure practices, and requires

Facebook to have an independent privacy audit every two years for the next twenty years.

In the same year that the FTC issued a Preliminary Order against Facebook, the Austrian

privacy group “Europe-v-Facebook” and other parties filed formal complaints to the Office of

the Data Protection Commissioner (“DPC”) addressing various issues including data access by

third party applications.

Europe-v-Facebook’s complaint specifically described (1) that third

party applications could retrieve data from “friends” of users who install the application without

their friends’ consent and (2) that it is unclear which applications receive this data and whether

they would adhere to data protection regulations.

The DPC then initiated an audit of Facebook

Ireland to assess its compliance with both Irish Data Protection Law and European Union (“EU”)

law.

The 2011 DPC Audit builds on the work by other regulators, including the FTC.

Specifically, the 2011 DPC Audit examined the privacy governance structure within Facebook

Ireland and stated that the 2011 Preliminary Order “should ensure that Facebook will adopt a

rigorous approach to privacy and data protection issues” and that the focus of the audit was on

possible changes needed to ensure compliance with Irish and EU data protection law.

In re Facebook, EPIC.org, https://epic.org/privacy/inrefacebook/.

In the Matter of Facebook, Inc., a corporation, Federal Trade Commission,

https://www.ftc.gov/enforcement/cases-proceedings/092-3184/facebook-inc.

Press Release, Federal Trade Commission, Facebook Settles FTC Charges That It Deceived Consumers

By Failing To Keep Privacy Promises (Nov. 29, 2011), https://www.ftc.gov/news-events/press-

releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep.

Id.

See e.g., Compl. Against Facebook Ireland, Ltd. – 13 “Applications”, Europe-v-Facebook to Office of

the Data Protection Commissioner (Aug. 18, 2011), http://www.europe-v-

facebook.org/Complaint_13_Applications.pdf.

Id.

2011 DPC Audit, supra note 2 at 3.

Id. at 4.

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

In the 2011 DPC Audit, the Data Protection Commissioner made several

recommendations to Facebook Ireland, including new safeguards concerning third party

applications. The DPC found that the proactive monitoring and action against third party

applications who breach platform policies to be insufficient to ensure users that their data is safe

from third party applications.

Moreover, the DPC found that the “reliance on developer

adherence to best practice or stated policy in certain cases” is insufficient to ensure security in

user data.

Facebook Ireland responded to this recommendation by stating that they have

proactive auditing and automated tools “not just to detect abuse . . . but to prevent it in the first

place.”

In 2012, the DPC again audited Facebook Ireland to determine whether Facebook

implemented the DPC’s recommendations from the previous audit. The DPC found a

“satisfactory response” from Facebook Ireland regarding its additional steps in preventing third

party applications from accessing unauthorized user information.

Following the 2012 DPC

Audit, then Deputy Commissioner Gary Davis stated “[i]t is also clear that ongoing engagement

with [Facebook Ireland] will be necessary as it continues to bring forward new ways of serving

advertising to users and retaining users on the site.”

Following the 2012 DPC Audit, the FTC and the DPC signed a Memorandum of

Understanding to mutually assist and exchange information to enforce compliance with the

privacy laws in each respective country.

The Memorandum of Understanding requires that both

the FTC and the DPC “share information, including complaints and other personally identifiable

information” that they believe would be relevant to investigation or enforcement proceedings and

also “coordinate enforcement against cross-border [privacy violations] that are priority issues”

for both countries.

In May 2014, Facebook announced plans to modify its platform to restrict access to

friends data by 2015.

At that time, DPC regulator Billy Hawkes stated that Facebook “is in

Id. at 97.

Id.

2012 DPC Audit, supra note 3 at 7–8.

Press Release, Data Protection Comm’r, Report of Review of Facebook Ireland’s Implementation of

Audit Recommendations Published – Facebook Turns Off Tag Suggest in the EU (Sept. 9, 2012),

https://www.dataprotection.ie/docs/21/09/12_Press_Release_-

_Facebook_Ireland_Audit_Review_Repor/1233.htm.

Memorandum of Understanding Between the United States Federal Trade Commission and the Office

of the Data Protection Commissioner of Ireland on Mutual Assistance in the Enforcement of Laws

Protecting Personal Information in the Private Sector, Ir.-U.S., June 26, 2013,

https://www.ftc.gov/system/files/documents/cooperation_agreements/130627usirelandmouprivacyprotecti

on.pdf [hereinafter “Memorandum of Understanding”].

Id. at 3–4.

Josh Constantine & Frederic Lardinois, Everything Facebook Launched at F8 and Why, TechCrunch

(May 2, 2014), https://techcrunch.com/2014/05/02/f8/.

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

compliance with its obligations under Irish and European data-protection law.”

Third party

applications, however, did not have to delete the data they already obtained prior to the 2015

platform upgrade.

Cambridge Analytica

Two years after the DPC found a “satisfactory response” from Facebook Ireland

regarding third party applications, a third party application harvested the data of 50 million

Facebook users and transferred the data to a political data analytics firm — Cambridge

Analytica.

On March 16, 2018, Facebook admitted to the unlawful transfer of 50 million user

profiles to the data mining firm Cambridge Analytica.

Relying on the data provided by

Facebook, a Cambridge University researcher collected the private information of approximately

270,000 users and their extensive friend networks under false pretenses as a research-driven

application.

The data from 50 million profiles was subsequently transferred to Cambridge

Analytica, a political consulting firm hired by President Trump’s 2016 election campaign that

offered services that could identify personalities of voters and their voting behavior.

Cambridge

Analytica engaged in the illicit collection of Facebook user data from 2014 to 2016.

Facebook

discovered this violation in 2015 but did not inform the public until this year.

Following the Cambridge Analytica scandal, Irish Data Protection Commissioner Helen

Dixon stated that she “is following up with Facebook Ireland” to ensure its oversight for app

developers and third parties’ use of data is effective.

Likewise, the FTC recently announced

that it has an open investigation into Facebooks privacy practices.

According to Acting Director

Derek Scally, Ireland Has Failed to Regulate Facebook on Behalf of Europe, Irish Times (Mar. 24,

2018), https://www.irishtimes.com/opinion/ireland-has-failed-to-regulate-facebook-on-behalf-of-europe-

1.3437931.

Josh Constine, Facebook is Shutting Down its API for Giving Your Friend’s Data to Apps, TechCrunch

(Apr. 28, 2015), https://techcrunch.com/2015/04/28/facebook-api-shut-down/.

Press Release, Facebook, Suspending Cambridge Analytica and SCL Group from Facebook (Mar. 16,

2018), https://newsroom.fb.com/news/2018/03/suspending-cambridge-analytica/ [hereinafter “Facebook

Press Release”].

Id.

Matthew Rosenberg, Nicholas Confessore, & Carole Cadwalldr, How Trump Consultants Exploited the

Facebook Data of Millions, N.Y. Times (Mar. 17, 2018),

https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html.

Id.

Facebook Press Release, supra note 20.

Conor Humphries, Facebook’s Lead EU Regulator ‘Following Up’ on Third Party Data Use, Reuters

(Mar. 20, 2018), https://www.reuters.com/article/us-facebook-cambridge-analytica-ireland/facebooks-

lead-eu-regulator-following-up-on-third-party-data-use-idUSKBN1GW1FO.

Press Release, Fed. Trade Comm’n, Statement by the Acting Director of FTC’s Bureau of Consumer

Protection Regarding Reported Concerns about Facebook Privacy Practices (Mar. 26, 2018),

https://www.ftc.gov/news-events/press-releases/2018/03/statement-acting-director-ftcs-bureau-consumer-

protection.

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

Tom Pahl, “[c]ompanies who have settled previous FTC actions must also comply with FTC

order provisions imposing privacy and data security requirements.”

Request for Expedition

EPIC is entitled to expedited processing of this request under the FOIA and the FTC’s

FOIA regulations. 5 U.S.C. § 552(a)(6)(E)(v)(II); 16 C.F.R. § 4.11(a)(1)(i)(G). Specifically, this

request is entitled to expedited processing because, first, there is an “urgency to inform the

public concerning [an] actual . . . Government activity,” and second, this request is made by “a

person primarily engaged in disseminating information.” 16 C.F.R. § 4.11(a)(1)(i)(G).

First, there is an “urgency to inform the public concerning [an] actual . . . Government

activity.” § 4.11(a)(1)(i)(G). The “actual . . . Government activity” at issue is the FTC’s

communications with the DPC regarding Facebook’s compliance with the 2012 Consent Order.

It is undisputed that the FTC works with foreign consumer protection authorities and often

cooperates with foreign authorities on enforcement and policy matters.

Specifically, the FTC

and the DPC’s Memorandum of Understanding to mutually exchange information for the

purpose of enforcing privacy laws is applicable to the DPC’s “ongoing engagement” with

Facebook Ireland.

The “urgency” to inform the public about this activity is clear given that Facebook

violated the terms of its 2012 Consent Order by allowing problematic and illegal data collection

via third party applications. The Cambridge Analytica whistleblower that caused media headlines

described exactly what was described in Europe-v-Facebook’s complaint to the Irish DPC in

2011 regarding access of user data through third party applications. Release of this information is

urgent because Mark Zuckerberg refused to testify publicly before the U.K. parliament to explain

how the information of 50 million users ended up in the possession of a foreign data analysis

firm.

Moreover, the British Information Commissioner has called for the release of additional

information and executed a warrant to inspect the Cambridge Analytica office.

Second, EPIC is an organization “primarily engaged in disseminating information” to the

public because it is a representative of the news media. 16 C.F.R. § 4.11(a)(1)(i)(G). As the

Court explained in EPIC v. DOD, “EPIC satisfies the definition of ‘representative of the news

media’” entitling it to preferred fee status under the FOIA. 241 F. Supp. 2d 5, 15 (D.D.C. 2003).

Id.

See International Consumer Protection, Fed. Trade Comm’n,

https://www.ftc.gov/policy/international/international-consumer-protection/.

See Memorandum of Understanding, supra note 17.

Alex Hern & Dan Sabbagh, Zuckerberg’s Refusal to Testify Before UK MPs ‘Absolutely Astonishing’,

The Guardian (Mar. 27, 2018), https://www.theguardian.com/technology/2018/mar/27/facebook-mark-

zuckerberg-declines-to-appear-before-uk-fake-news-inquiry-mps.

Statement, Information Commissioner’s Office, ICO Statement: Investigation Into Data Analytics For

Political Purposes (Mar. 19, 2018), https://ico.org.uk/about-the-ico/news-and-events/news-and-

blogs/2018/03/ico-statement-investigation-into-data-analytics-for-political-purposes/.

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

In submitting this request for expedited processing, I certify that this explanation is true

and correct to the best of my knowledge and belief. 16 C.F.R. § 4.11(a)(1)(i)(G); 5 U.S.C. §

552(a)(6)(E)(vi).

Request for “News Media” Fee Status and Public Interest Fee Waiver

EPIC is a “representative of the news media” for fee classification purposes. EPIC v.

DOD, 241 F. Supp. 2d 5 (D.D.C. 2003). Based on EPIC’s status as a “news media” requester,

EPIC is entitled to receive the requested record with only duplication fees assessed. 16 C.F.R. §

4.8(b)(2)(iii); 5 U.S.C. § 552(a)(4)(A)(ii)(II).

Further, any duplication fees should also be waived because (i) disclosure of the

requested information is “likely to contribute significantly to the public understanding of the

operations or activities of the government” and (ii) disclosure of the information is not “primarily

in the commercial interest” of EPIC, the requester. 16 C.F.R. §§ 4.8(2)(i)–(ii); 5 U.S.C. §

552(a)(4)(A)(iii). EPIC’s request satisfies this standard based on the FTC’s considerations for

granting a fee waiver. 16 C.F.R. § 4.8(e)(2).

(1) Disclosure of the requested information is likely to contribute to the public

understanding of the operations or activities of the government.

First, disclosure of the requested documents is in the public interest because it is “likely

to contribute significantly to public understanding of the operations or activities of the

government.” 16 C.F.R. § 4.8(2)(i). The FTC components evaluate these four factors to

determine whether this requirement is met: (i) the subject matter of the request “concerns the

operation and activities of the Federal government”; (ii) the disclosure “is likely to contribute to

an understanding of these operations or activities”; (iii) the disclosure “is likely to contribute [to]

public understanding” of the issue; and (iv) the disclosure will provide a “significant”

contribution to public understanding; §§ 4.8(2)(i)(A)–(D).

On the first factor, the subject of the request self-evidently concerns identifiable

“operations or activities of the Federal government.” 16 C.F.R. § 4.8(2)(i)(A). As previously

stated, the subject of this request self-evidently concerns the FTC’s role in consulting with the

DPC when the office was conducting both the 2011 DPC Audit and 2012 DPC Audit.

On the second factor, disclosure “is likely to contribute to an understanding of these

operations or activities” because Facebook’s compliance with the 2012 Consent Order has a

direct impact on its subsidiaries abroad. 16 C.F.R. § 4.8(2)(i)(B). Facebook Ireland is responsible

for data processing activities and data protection for all Facebook users outside of the U.S. and

Canada.

Facebook’s Terms of Service applies to all of its users, but depending on where the

user resides, the contract that governs these terms are either between Facebook, Inc. or Facebook

Press Release, Data Protection Comm’r, Report of Data Protection Audit of Facebook Ireland

Published (Dec. 21, 2011), https://www.dataprotection.ie/docs/21/12/11_Press_Release_-

_Report_of_Data_Protection_Audit_of_/1175.htm.

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

Ireland, Ltd.

Large U.S. companies like Facebook, Google, Twitter, and LinkedIn have their

European headquarters in Ireland. Irish regulators have the lead responsibility for regulating

these technology companies to comply with EU law, which includes contacting the foreign

regulators, such as the FTC, on international consumer protection matters.

On the third factor, disclosure “is likely to contribute [to] public understanding” of the

issue. 16 C.F.R. § 4.8(2)(i)(C). EPIC is a registered non-profit organization committed to

privacy, open government, and civil liberties.

EPIC consistently publishes critical documents

obtained through the FOIA and through litigation on its robust website for educational

purposes.

Moreover, EPIC publishes an award-winning email and online newsletter that always

highlights critical documents obtained through the FOIA.

On the fourth factor, the disclosure will provide a “significant” contribution to public

understanding. 16 C.F.R. § 4.8(2)(i)(D). The release of this information would significantly

contribute to the public understanding of the FTC’s techniques for cross-border law enforcement,

namely, when foreign governments raise questions about a company’s compliance with the

FTC’s orders. Furthermore, the public has a right to know FTC responds to the concerns that

Facebook has violated the FTC’s consent order.

(2) Disclosure of the information is not primarily in the commercial interest of the

requester

Second, disclosure of the information is not “primarily in [EPIC’s] commercial interest.”

16 C.F.R. § 4.8(2)(ii)(A). Again, EPIC is a registered non-profit organization committed to

privacy, open government, and civil liberties. EPIC has no commercial interest in the requested

records and has established that there is significant public interest in the requested records.

For these reasons, a full fee waiver should be granted for EPIC’s request.

Statement of Rights and Responsibilities, Facebook (Jan. 30, 2015),

https://www.facebook.com/terms.php (Section 18.1 states: “If you are a resident of or have your principal

place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc.

Otherwise, this Statement is an agreement between you and Facebook Ireland Limited.”).

About EPIC, EPIC.org, http://epic.org/epic/about.html.

EPIC.org, https://www.epic.org/.

EPIC Alert, EPIC.org, https://www.epic.org/alert/.

EPIC FOIA Request Facebook Ireland

May 11, 2018 FTC

Conclusion

Thank you for your consideration of this request. I anticipate your determination on our

request within ten calendar days. 16 C.F.R. § 4.11(a)(1)(i)(G); 5 U.S.C. § 552(a)(6)(E)(ii)(I). For

questions regarding this request I can be contacted at 202-483-1140 x104 or [email protected]g, cc:

[email protected].

Respectfully submitted,

/s Enid Zhou

Enid Zhou

EPIC Open Government Fellow

/s Sam Lester

Sam Lester

EPIC Consumer Privacy Fellow