Marshall L. Miller and Jeohn Salone Favors of Wachtell, Lipton, Rosen & Katz offer a generally favorable assessment of the settlement between Facebook and the FTC:
... the FTC filed a complaint alleging that Facebook “subverted users’ privacy choices to serve its own business interests,” through false promises regarding users’ ability to control privacy settings, misrepresentations regarding the sharing of users’ personal data with third parties, and deceptive practices as to the collection and use of users’ telephone numbers. These actions violated the terms of the 2012 consent decree, which barred Facebook from making deceptive privacy claims and required a reasonable program to protect user privacy.
The monetary penalty of $5 billion dwarfs all prior fines in this area, including the FTC’s $100 million penalty in 2016, as well as the largest international data privacy penalty to date, a £183 million finerecently imposed by U.K. authorities. Meanwhile, the remedial order imposes expansive compliance obligations and vigorous accountability and reporting requirements, including the establishment of a board privacy committee made up of independent directors, designation of compliance officers accountable to that committee, a third-party compliance assessor with enhanced authority and independence, heightened privacy requirements for sensitive applications and activities, and quarterly privacy certifications to the FTC, including from the CEO. Given the order’s 20-year duration, the FTC will exert influence over Facebook’s privacy practices—and, at least by extension, the tech industry—for decades to come.
But aspects of the resolution have prompted backlash from the dissenting commissioners and critics in Congress. For example, the settlement order applies only to Facebook as a company and releases claims against individual officers, though media reports had suggested the agency was considering holding executives personally responsible for the company’s privacy failures. And in the view of the dissenting commissioners, the settlement does not impose sufficiently meaningful limits on Facebook’s practices related to the collection, use, and sharing of customer data.
Personally, I view the $5 billion fine as a slap on the wrist. In the First Quarter of 2018 alone, Facebook's net income was $4.988 billion. It's a cost of doing business for Zuckerberg.
But it is the lack of individual accountability that troubles me. My view on entity versus individual liability were very much shaped by Jennifer H. Arlen & William J. Carney, Vicarious Liability for Fraud on Securities Markets: Theory and Evidence, 1992 U. Ill. L. Rev. 691 (1992).
Jennifer and Bill persuasively argued that:
Imposing liability on the firm results in a large wealth transfer from one group of innocent investors to another similar group. Because this transfer neither deters fraud nor spreads losses, it performs no useful social function. The authors conclude that a rule of agent liability, supplemented with criminal enforcement, is preferable.
They focus on securities cases involving fraud on the market, finding that the wrongdoing in such cases "typically is committed by corporate officers, apparently without consent of the board of directors or major shareholders." (695) Despite that limited focus, the argument has always struck me as having more general application.
Hence, for example, in Institutional versus individual liability; Should we burn Penn State down?, I wrote that:
There is an argument for imposing civil liability on corporations and other institutions (i.e., legal persons) where their agents commit torts or breach contracts. A major function of civil liability, after all, is compensation of victims of malfeasance and misfeasance. The legal person will often have far deeper pockets than any of the natural persons amongst its stakeholders. Having one defendant rather than many, moreover, reduces tertiary costs for both parties and society. (Note, BTW, that because compensation is a key goal of civil liability, burning the place down would seem counterproductive.)
Having said that, however, I'm not completely convinced. In the first place, most major corporate misconduct implicates senior corporate officials, such that a regime of personal--rather than corporate--liability would provide them with incentives to cause the corporate entity to insure against the risk of such losses, which satisfies the goal of compensation.
More important, however, the role of compensation as a justification for corporate liability is more compliucated than one might think. In an important article, Vicarious Liability for Fraud on Securities Markets: Theory and Evidence, 1992 U. Ill. L. Rev. 691, Jennifer Arlen and William Carney, tackled this question with regard to corporate liability for securities frauds committed by agents of the firm. As they demonstrate, when a corporation pays a large fine the resulting balance sheet effect is to reduce assets on the left side. On the right hand side, liabilities remain constant. To offset the decline in net assets, accordingly, shareholder equity must fall. As a result, the effect of civil monetary liability is to replace "one group of innocent victims with another: those who were shareholders when the fraud was revealed. Moreover, enterprise liability does not even effect a one-to-one transfer between innocent victims: a large percentage of the plaintiffs' recovery goes to their lawyers. Finally, enterprise liability may injure innocent people in addition to shareholders. For example, employees are injured if enterprise liability sends a firm into bankruptcy or causes it to lay off employees." Id. at 719.
The case for corporate criminal liability is even weaker. The principal functions of criminal liability are retribution and deterrence. As I have argued elsewhere in the context of corporate reparations:
A corporation is not a moral actor. Edward, First Baron Thurlow, put it best: "Did you ever expect a corporation to have a conscience, when it has no soul to be damned, and nobody to be kicked?" The corporation is simply a nexus of contracts between factors of production. As such, there is no moral basis for applying retributive justice to a corporation - there is nothing there to be punished.
So who do we punish when we force the corporation to pay reparations? Since the payment comes out of the corporation's treasury, it reduces the value of the residual claim on the corporation's assets and earnings. In other words, the shareholders pay. Not the directors and officers who actually committed the alleged wrongdoing (who in most of these cases are long dead anyway), but modern shareholders who did nothing wrong. Retributive justice is legitimate only where the actor to be punished has committed acts to which moral blameworthiness can be assigned. Even if you assume the corporation is still benefiting from alleged wrongdoing that happened decades or even centuries ago, which seems implausible, the modern shareholders are mere holders in due course. It is therefore difficult to see a moral basis punishing them. They have done nothing for which they are blameworthy.
As always in corporate accountability, both efficiency and morality require that punishment be directed solely at those who actually commit wrongdoing. In this context, it would be the directors, officers, or controlling shareholders who actually enslaved people. Since they're long dead, there is nobody left who properly can be punished.
That conclusion was influenced in part by the Arlen and Carney paper, which argues for imposing liability on the corporation's agents:
... we find that there is little reason to believe that enterprise liability is the superior rule from the standpoint of deterrence, and there are many reasons to suspect the contrary. The deterrent effect of the available monetary sanctions under agent liability probably exceeds the deterrent effect of enterprise liability because a civil judgment against an agent hurts his reputation more than does a sanction imposed by the firm in private. Moreover, the threat that sanctions will be imposed appears to be greater under agent liability. Agent liability places the responsibility of sanctioning wrongful agents with the victims, who have no reason not to proceed against them and have every reason to proceed. Enterprise liability, by contrast, places the responsibility of proceeding against the wrongful agents with the firm, and thus with the very agents (and their close associates) most likely to have committed fraud. Moreover, agent liability in effect enlists insurance companies as corporate monitors and disciplinarians, thereby eliminating the agency costs associated with firm managers monitoring and disciplining each other. Furthermore, the judgment proof problem under agent liability can be completely eliminated if, in addition to civil liability, the government imposes sufficient nonmonetary criminal penalties on agents, such as imprisonment.
Although they are discussing civil liability, their comments on deterrence seem equally applicable to the criminal law.
Interestingly, today's WSJ has an op-ed by Eamonn Butler that speaks to these issues and comes down basically in the place that I do:
Where fines are levied, it is generally on corporations rather than individuals, which means that shareholders and customers (and indeed taxpayers) end up paying instead of those actually responsible. Network Rail, Britain's rail infrastructure provider, was fined £3 million last year for safety failings over the Potters Bar disaster in which seven people were killed, and another £4 million in April for the Grayrigg crash that killed one person and seriously injured 28 others. It will be passengers who stump up that £7 million, not rail executives.
In May this year, Abbott Laboratories agreed to a $1.6 billion corporate fine over its marketing of antiseizure drug Depakote. In July, GlaxoSmithKline settled for $3 billion for the marketing of antidepressants and failing to report safety data on a diabetes drug. Johnson & Johnson could pay $2.2 billion over its promotion of antipsychotic drug Risperdal. Chunky fines, totalling 32%, 37% and 23% of these firms' current income—but no individuals have been charged.
Instead of de facto taxing the corporation's shareholders, he argues for individual liability:
Regulation is not best delivered by constantly peering over the shoulders of traders at huge bureaucratic cost. It is served by setting clear, broad rules, and by punishing those who break them.
Precisely.
With respect to many Big tech cases the case for individual liability is strengthened because of their dual class capital structure. At Facebook, for example, there are two classes of stock: one with the ordinary one vote per share and one with 10 votes per share. The supervening stock is held almost exclusively by Zuckerberg, giving him effective voting control despite owning a small percentage of the firm's equity.
As long time readers know, my take on dual class stock is you made your bed, now you must lie in it. Dual class stock has known agency cost consequences. Investors who buy dual class stock should discount the price they are willing to pay to adjust for that risk. Going forward, the cost is baked into the price.
But while I would not regulate dual class stock, the fact that Zuckerberg has used it to entrench himself in power surely strengthens the argument that if you punish Facebook you must punish Zuckerberg. Personally and punitively.