Whether the Attorney General can obtain from Facebook factual information derived from the company’s investigation of third parties that improperly accessed user data.
The Massachusetts Attorney General opened an investigation into consumer privacy abuses following the Cambridge Analytica scandal. The AG sought information about the identities of developers and applications which Facebook found had impermissibly accessed user data, along with Facebook’s internal communications about them. Facebook challenged this request, claiming that the information was privileged because it was prepared in anticipation of the extensive litigation Facebook now faces. After a trial court ordered Facebook to hand over the requested information, Facebook directly appealed to the Supreme Judicial Court of Massachusetts.
The Facebook Platform allows third-party app developers to promote and offer apps that are integrated with Facebook. The system provides the developers with access to a variety of users’ personal information.
In 2009, EPIC and others urged the FTC to investigate Facebook’s Platform and the extent to which third parties could access granular user information without their knowledge or consent. After investigating the company for several years, the FTC ordered entered into a consent order with Facebook that required the company to implement detection and enforcement programs which would regularly monitor and investigate apps and developers that potentially violated user privacy policies. The FTC also required Facebook to limit the amount of user data parties on the Platform could access.
In 2014, a single Facebook Platform app developer was able to access and extract the personal information of 87 million users without their knowledge or consent and then provided that data to Cambridge Analytica for use in political ad campaigns. The FTC nor the independent auditor tasked with assessing Facebook’s privacy program under the 2012 Consent Order detected the failure in Facebook’s monitoring system.
When news broke of the Cambridge Analytica incident in March 2018, Facebook announced an investigation into other apps and developers who may have used the Platform in a similar way to extract personal information.
In 2018, Massachusetts AG Maura Healey announced that her office would investigate Facebook. The investigation seeks in part to identify app developers who may have violated the state’s Consumer Protection Act. The AG has demanded information from Facebook’s investigation of other third party apps. Facebook refused to provide the requested information.
In 2019, the AG filed a petition with the trial court to compel Facebook to comply with the demand for information on apps and developers identified by Facebook’s investigation and related internal communications. In response to the petition, Facebook argued that all of the requested information was protected by attorney-client privilege because it was gathered by the company in the course of an internal investigation designed and managed by Facebook’s lawyers. The trial court rejected Facebook’s argument and ordered Facebook to provide the requested information. Facebook then applied for direct review to the Supreme Judicial Court. The Court granted review in May 2020.
A central issue on appeal is whether the information the AG seeks contains protected or privileged client-attorney communications. Facebook argues they do, since the information only exists because Facebook chose to investigate the Platform after the company faced a wave of litigation in early 2018. EPIC argues in an amicus brief that Facebook was obligated to proactively monitor for the very information at issue in the case, and that the company’s failure to do so until there was a threat of litigation should not justify secrecy.
EPIC has consistently urged the FTC to investigate and regulate Facebook’s data practices, especially sharing users’ personal information without their knowledge or consent. In 2009, EPIC and others focused the FTC’s attention on this particular issue in a complaint highlighting the vast amounts of personal information available to third parties through the Platform. EPIC was directly involved in the Cambridge Analytica investigations, urging the FTC to investigate the company’s data sharing practices. EPIC more recently moved to intervene in the FTC’s 2020 settlement with Facebook and filed an amicus brief arguing that the deal would not require Facebook to change its practices in any meaningful way. EPIC gathered thousands of complaints filed by users with the FTC regarding Facebook’s data sharing practices in the years between the 2012 Order and the 2020 settlement. EPIC also uncovered communications between the FTC and Facebook that demonstrated the FTC’s reluctance to effectively enforce the requirements of the 2012 Order, which may have prevented the Cambridge Analytica incident altogether.