…87 million.

That’s the estimated number of Facebook user profiles which may have been improperly shared with Cambridge Analytica[1] to date.

At the end of the fourth quarter in 2017, Facebook could boast 2.2 billion active users[2]. This means almost a third of the world’s population has been freely giving a corporation uninhibited access to their data. This includes but isn’t limited to their name, age, likes, dislikes, children’s names, photos, and their opinions on everything from the food they like to eat to the political party they vote for.

Google has even more information about you. Every website you have ever visited, YouTube videos you have ever watched and places you have ever navigated to using Google Maps has been stored. Your complete location history has probably also been stored.

The General Data Protection Regulations (GDPR), which comes into force next month, is aimed at protecting peoples’ personally identifiable data. The question is: how would Facebook’s alleged breach and misuse of data be treated once the GDPR is in place?

Despite what Google, Facebook, Amazon, and other large tech organisations tell you, this information is stored primarily for commercial gain. The information provided by users is used as a basis to market advertisements. This is how these corporations make money. Remember, you get to use their services for free but a price is paid. That price is the loss of your privacy.

Judging from this exchange in 2004 between 19-year-old Mark Zuckerberg and a friend shortly after Mark Zuckerberg launched Facebook in his dorm room at Harvard, the creators of the platform cannot quite believe their luck that people have been prepared to share their personally identifiable information so willingly[3]:

“Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend’s Name]: What? How’d you manage that one?
Zuck: People just submitted it

Zuck: I don’t know why

Zuck: They “trust me”

Zuck: Dumb [expletive]”

Although Mark Zuckerberg may have been joking, the exchange does highlight the stance that Facebook has had surrounding the privacy rights of its users.

The story of Cambridge Analytica and the unauthorised use of Facebook data was originally broken by The Guardian in December 2015[4]. In March 2018, a former Cambridge Analytica employee, Christopher Wylie, provided documents and first-person testimony in both a The New York Times story[5] (by Matthew Rosenberg, Nick Confessore and Carole Cadwalladr) and an Observer story[6] (by Cadwalladr), stating exactly what happened.

According to Christopher Wylie, Aleksandr Kogan, a Russian-American academic at Cambridge University developed a Facebook App – “thisismydigitallife,” which was a personality quiz. He claimed the data he collected was for academic purposes only. To take the quiz, users had to consent to share not only their own personal information but also that of their friends. This meant data was accessible from around 87 million users. The data was then compared with other material to profile people. Cambridge Analytica spent around $7 million on the data. Facebook became aware that Aleksandr Kogan had violated its rules by passing the data onto third parties but believed Cambridge Analytica when it said that the data had been deleted. In fact, it was harvested and could have been used to create targeted ads for Donald Trump’s presidential campaign.

In the UK, the Information Commissioner’s Office (ICO) is now leading the global investigation into whether Cambridge Analytica breached data protection law. The ICO’s response is believed to be critical in shaping how other watchdogs, including the U.S. Federal Trade Commission, handled the breach[7].

The problem with the existing data protection laws is that they are 20 years old. The Data Protection Act 1998, although stringent, was enacted well before the advent of social media (in fact, probably even before most people had a home PC).

The GDPR is designed to bring data protection laws across the entire European Union up to date. Below, we examine how a data breach would be managed by the GDPR.

From 25 May 2018, all organisations will need to obtain express consent to collect data and to use it for a specific purpose. Exemptions include:

if an organisation has a legitimate interest in processing personally identifiable information; or
it has a legal obligation which can only be fulfilled by using personally identifiable information.
Organisations built on data collection face huge challenges when it comes to complying with the GDPR. In addition, hefty fines will be imposed on organisations that fail to comply with the GDPR or cause data breaches.

Researchers at Charles III University of Madrid used Facebook’s advertising dashboard to analyse the methods used to target EU users for advertisement campaigns. It discovered that 73% of ads were targeted by marketers using data which showed characteristics such as sexual orientation and religious beliefs. Such practices would only be allowed under the GDPR if the data subject (i.e. who the personally identifiable information belongs to) gives explicit consent for Facebook to first of all, store said data, and secondly, to share said data with third parties.

Neil Campling, a technology analyst at Mirabaud Securities, which recently downgraded Facebook told the Financial Times:

“Targeted advertising requires you to have a lot of accurate user information, but if you think about what happens after the implementation of GDPR, it will become much harder to hold that information”[8].

• Right to be informed: data subjects have the right to be informed about how their personally identifiable information is being used, which must be given at the time of exchange
• Right to access: data subjects have the right to request access to their personally identifiable information
• Right to ratification: data subjects may request rectification
• Right to erasure: data subjects can demand an organisation delete all the personally identifiable information held on them. The controller (e.g. Facebook) is responsible for instructing other organisations (e.g. Google) to delete any links to copies of that personally identifiable information, as well as the copies themselves
• Right to restrict processing: although not an absolute right, data subjects can request their personally identifiable information be restricted or supressed
• Right to portability: data subjects have the right to use their personally identifiable information across different services (e.g. Twitter, Instagram etc.)
• Right to object: if a data subject’s personally identifiable information is being processed based on a legitimate interest, the data subject has a right to object to said processing.

Any breach must be notified to the ICO within 72 hours and individuals affected by the breach must also be notified. This presents a considerable challenge for data controllers in cases such as the one involving Cambridge Analytica, where tens of millions of Facebook accounts were stored without consent.

Penalties for non-compliance or data breaches are harsh. Lower level breaches can attract a fine of €10 million or 2% of a firm’s global turnover for the previous financial year, whichever is higher. Major infringements can lead to a fine of €20 million or 4% of global turnover, again, whichever is higher.

Major data aggregators will face challenges under the GDPR regarding how they collect and use data.

For example, Google used to ‘mine’ the content and metadata of every email sent using Gmail and used the information to target advertisements. Under the GDPR, the sender and receiver would have to give consent for this to occur. As Google knows this was unlikely to be given, it has reportedly discontinued this practice[9].

The problem with law and technology is that as soon as the former catches up with the latter, the latter develops ways to circumvent the former. However, given trends such as #DeleteFacebook, it appears users have realised that ‘free’ services come with a big price tag attached. That price is your privacy and control of your information. Although, with the GDPR coming into effect on 25 May 2018, the price tag is about to change as data subjects gain control of their information once again.

More information on GDPR? For SMEs, please click here. For Charities, please click here.

Saracens Solicitors is a multi-service law firm based in London’s West End. We have dedicated and highly experienced commercial law solicitors who can advise you on all GDPR matters. For more information, please call our office on 020 3588 3500.

Do you have any comments to make on this article? Please feel free to add them to the section below.