FACEBOOK, CAMBRIDGE ANALYTICA AND THE IMPACT ON GDPR ENFORCEMENT



Facebook’s Mark Zuckerberg has broken his silence to comment on the unfolding Cambridge Analytica data scandal. He has announced steps his organisation will take to deal with the fallout that has resulted from Cambridge Analytica’s acquisition of the personal data of up to 50 million Facebook users.


As the hashtag #deleteFacebook gains momentum it remains to be seen whether Facebook’s actions will be enough to stem the slide in the company’s share price or to restore the credibility of the social media platform. But as we ready ourselves for GDPR, the Facebook/Cambridge Analytica debacle is sure to have repercussions for any company that holds personal data belonging to EU consumers.

3 REASONS WHY GDPR COMPLIANCE MORE IMPORTANT THAN EVER
We believe the Cambridge Analytica story makes GDPR compliance more critical than ever for three reasons:
·      The furore has propelled the subject of data protection to the forefront of the political and media agenda
·      The scandal will inevitably give individuals a much greater sense of their rights in relation to their personal data and how these can be enforced
·      Data commissioners across Europe, including our own Information Commissioner’s Office, will have renewed confidence to investigate and clamp down on any future data breaches with vigour
So for the type of small and medium-sized businesses Big Data Law advises, comprehensive GDPR compliance has just become more urgent than ever.

WHAT HAPPENED WITH FACEBOOK AND CAMBRIDGE ANALYTICA?
A whistleblower has described to various news outlets how Cambridge Analytica got hold of data belonging to 50 million Facebook users.
It allegedly obtained the information from responses to a quiz app on Facebook (“thisismydigitallife”) set up by a company called Global Science Research (GSR). Only 270,000 people actually downloaded the app containing the quiz, but GSR was able to obtain the data of 50 million Facebook users.
Why? At the time (2015), when an individual granted access to their data on Facebook this also gave the person seeking the data access to the data of that individual’s entire Facebook friend network.
The quiz was described as an experiment that scientists would use to build psychological profiles of respondents. The whistleblower claims however that the information was sold to Cambridge Analytica. And it used the data as the basis of voter modelling ahead of the 2016 US presidential election.
Both Facebook and Cambridge Analytica deny they have done anything illegal or untoward.

DATA BELONGED TO AMERICAN CONSUMERS: WHY IS THE UK INVOLVED?
Cambridge Analytica is a British company so the ICO has become involved. The UK’s Information Commissioner has issued a Demand for Access to records and data in the hands of Cambridge Analytica. As the company has not responded, the Commissioner has applied to court for a warrant to enable access.
Although the original Facebook quiz targeted US individuals, if UK citizens responded or US respondees had friends in the UK whose data was harvested then the UK’s Data Protection Act (DPA) will kick in.

It’s likely that the Information Commissioner wants to find out whether UK consumers who answered the quiz understood what specifically the information they provided would be used for. For example if the quiz only referred to scientific research and not voter profiling there is likely to have been a breach of the DPA. In addition political views are likely to be regarded as ‘sensitive personal information’. Handling such information attracts much higher levels of security under the DPA than some other personal data.

WHAT ABOUT GDPR?
The data harvesting that has led to the scandal occurred in 2015 – so in the UK the DPA applies, not GDPR. As we know the GDPR offers individuals much greater protection and control over their data. For example citizens can ask for information about them to be erased (the right to be forgotten). If the Cambridge Analytica data harvesting had been unearthed when GDPR was in force much heavier financial penalties would have been available to regulators than at present. Using information for a purpose other than the specific purpose for which it was obtained (which some commentators believe is the case here) could, under GDPR, result in a fine of €20 million or an amount equivalent to 4% of global turnover.
COMMENT
Perhaps one of the most alarming aspects of this story is that the data sharing that occurred was not strictly speaking a breach. There was no hacking or theft of information. And because of the amount of data involved, Facebook’s own internal systems flagged up the fact that so much data was being accessed. But this simply did not contravene Facebook policies at the time. (These have since changed.)
The furious reaction to this developing story means that the concept of data protection has been raised high in the public’s consciousness. Data compliance issues that were mainly of concern to businesses ahead of GDPR’s introduction are now firmly on the public’s radar. We anticipate a greater readiness by the public to enforce their data protection rights. Just as significant – as the commissioner’s pursuit of a warrant against Cambridge Analytica shows – is that regulators know they have teeth. They won’t be afraid to use them when it comes to enforcing GDPR.
CONTACT BIG DATA LAW
To find out how data protection Law Firm London can help you prepare for GDPR call us on 0203 670 5540 or complete our online enquiry form..
Find out more about how we can assist you by emailing us in complete confidence at info@bigdatalaw.co.uk.




Location: 59 Alleyn Rd, London SE21 8AD, UK

Comments

Post a Comment

Popular posts from this blog

GDPR – IT’S NOT ALL ABOUT CONSENT

Image
The General Data Protection Regulation comes into force tomorrow. Despite what you may have heard, GDPR is not only about getting consent to process the personal information of those people your company interacts with. In the last few days, as the implementation date approaches, you may have been forgiven for believing this to be the case. A degree of panic among businesses appears to have set in regarding the consent issue. Stories of unnecessary GDPR consent emails clogging up inboxes have been widely reported. And the Information Commissioner’s website that contains detailed  GDPR compliance guidance  has crashed . Whether this is due to the sheer volume of traffic following relentless media pressure is unclear. At Big Data Law we have been advising on and  writing about GDPR implementation  for some time. Granted, it represents a big change for businesses that handle personal data with heavy fines a possibility. But it’s important not to overreac...
Read more

HOW WILL GDPR AFFECT EMBASSIES AND CONSULATES

Image
With the GDPR coming into force in the UK on 25 May 2018 it is worth highlighting that the regulations have a broad territorial scope. For embassies and consulates in particular, non-compliance with GDPR could have  serious repercussions  not just for the organisation itself but also for the citizens and commercial enterprises that rely on embassy or consular services. WHERE DOES GDPR APPLY? EU EMBASSIES WITHIN THE EU AND ABROAD Article 3 of the GDPR deals with territorial scope. Where will the new rules apply? For a start the GDPR broadens the international reach of EU data protection rules. They will apply to: ·       The processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. ·       The processing of personal data of data subjects who are in the Union by a control...
Read more