Gibson, Dunn & Crutcher Gibson Dunn offices in Washington. Credit: Diego M. Radzinschi/ ALM

Updated on Monday, March 26

Amid broader concerns about how Russia exploited social media to interfere in the 2016 election, Facebook Inc. faces growing scrutiny over the transfer of up to 50 million users' personal data to a voter-profiling firm linked to President Donald Trump's campaign.

Lawmakers have called for Facebook CEO Mark Zuckerberg to be summoned for hearings in Washington. Another Facebook executive, Chief Information Officer Alex Stamos, plans to leave the company later this year—reportedly after meeting resistance when he advocated for more transparency about Russia's use of the social media platform.

The Federal Trade Commission on March 26 confirmed an open investigation into Facebook's privacy practices. “Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook,” Tom Pahl, acting director of the FTC's consumer protection bureau, said in a statement. “Today, the FTC is confirming that it has an open non-public investigation into these practices.”

Indeed, Facebook's 2011 settlement with the FTC over its handling of user data required the company to, among other things, obtain express consent before sharing user information beyond what individual privacy settings allow.

Inside Facebook, one lawyer is especially familiar with the terms of that 7-year-old settlement.

In 2011, S. Ashlie Beringer was one of the two Gibson, Dunn & Crutcher partners—along with M. Sean Royall—who signed the FTC settlement with Facebook's general counsel at the time, Theodore Ullyot.

Ashlie Beringer

Two years after guiding Facebook to that agreement, in 2013, Beringer left Gibson Dunn to become vice president and deputy general counsel at Facebook, where she leads the global regulatory, product and privacy legal team.

Also on the settlement was the director of the FTC's consumer protection bureau at the time, David Vladeck, who said Beringer's involvement in the 2011 settlement “makes her uniquely well-prepared to represent Facebook's position in this matter.”

“She's the principal signer of the consent decree. She was actively involved in negotiating the decree. My impression of her is she's one hell of a good lawyer,” Vladeck said in an interview Tuesday.

Beringer, formerly a Gibson Dunn partner in Palo Alto, California, did not immediately respond to a request for comment Tuesday. Facebook also did not immediately comment.

“We reject any suggestion of violation of the consent decree. We respected the privacy settings that people had in place,” Facebook told The Washington Post in a March 18 report. “Privacy and data protections are fundamental to every decision we make.”

The New York Times and The Guardian reported over the weekend that a voter-profiling company, Cambridge Analytica, mined the personal information of more than 50 million Facebook users without their permission—data that was then wielded for targeting political advertising. Cambridge Analytica obtained the data from Aleksandr Kogan, a researcher who developed an app he claimed would only be scraping users' information for academic purposes.

More: Facebook's Paul Grewal No Stranger to Privacy Fights

In recent days, Vladeck has said Cambridge Analytica's harvesting of that data raises questions about whether Facebook has complied with the terms of the 2011 consent decree.

“The real problem for Facebook is there are multiple provisions of the consent decree that— at least from what I know now—there's real reason to believe were violated by Facebook,” Vladeck said. “This is a violation of a consent, so civil penalties are available to the commission if a violation occurred. So this will be a very serious investigation by the FTC.”

Vladeck said Facebook's team of lawyers in 2011 included not only Ullyot and Beringer but Gibson Dunn partner Eugene Scalia and the company's deputy general counsel at the time, Colin Stretch, who took an active role in the FTC negotiations and traveled to Washington to meet with agency officials.

Stretch, now the Facebook general counsel, has served as the face of Facebook as the company, along with Google and Twitter, have been questioned about Russian-purchased election advertisements.

Paul Grewal. Credit: Jason Doiy/ ALM

Paul Grewal, vice president and deputy general counsel at Facebook, has been the company's name on statements responding to the scrutiny over the data acquisition by Cambridge Analytica. Grewal is a former federal magistrate judge in California who joined Facebook in 2016.

“The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent,” Grewal said in a statement March 17. “People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

The FTC's renewed investigation into Facebook could bring about a reunion of sorts.

Six years after signing the Facebook settlement, Maneesha Mithal continues to serve as the associate director overseeing the privacy and identity protection division within the FTC's consumer protection bureau. And another FTC attorney, Laura Berger, still works in the agency's privacy and identity protection division.

Christopher Olsen, who served as the division's assistant director at the time of the settlement, has since become a partner at Wilson Sonsini Goodrich & Rosati, where he focuses on privacy, cybersecurity, and data security issues. Another FTC attorney on the 2011 settlement, Manas Mohapatra, left the agency in 2013 to become an associate general counsel at Twitter. He left in November to become the chief global privacy counsel at Viacom.

The FTC said last week in a statement: “We are aware of the issues that have been raised but cannot comment on whether we are investigating. We take any allegations of violations of our consent decrees very seriously as we did in 2012 in a privacy case involving Google.”

In that case, Google paid a $22.5 million penalty to resolve claims that it misrepresented to users of Apple's Safari browser that it would not place tracking “cookies” or serve targeted ads to them, in violation of a settlement reached in October 2011.

“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” then-FTC chairman Jon Leibowitz, now a partner at Davis, Polk & Wardwell, said in a statement. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

This report was updated with additional information about the FTC's open investigation of Facebook's privacy practices.

Read more: