A US federal judge has ruled that the 29 million Facebook users affected by the September 2018 data breach may not seek damages as a remedy, but can only pursue the enforcement of better security practices at Facebook, according to a report by Reuters. Judge Alsup of the US District Court stated that Facebook’s repetitive losses of users’ privacy indicated a long-term need for supervision, which comes in addition to prior judgment which indicated that Facebook’s views about user’s privacy expectations were “so wrong”.

A core aspect of Facebook’s privacy principles is the notion of user consent and control. However, as we recently blogged about, the dependence and vulnerability of online consumers requires action to be taken on a regulatory level. David Vaile, the chairman of the Australian Privacy Foundation, recently advised that consent is coming into disrepute as a model for accepting complicated terms and information. The data-harvesting quiz behind the Cambridge Analytica privacy scandal, for instance, required an irrevocable and unfair consent predicated upon confusing information and intricate legal concepts.

Whilst such guidance is useful in highlighting inadequacies in Facebook’s privacy practices, the course of events underscores the complexity at truly changing the paradigms under which these companies operate. A mere £500,000 fine and enabling an action for the implementation of strong data security protections does not appear to be a sufficient mechanism for entities such as Facebook with vast amounts of personal information to take privacy and data security as seriously as they should. We will keep you updated on any further progress.