Facebook and Cambridge Analytica Privacy Scandal – In light of the GDPR
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.
In recent days, a severe case of privacy breach was exposed. In the following post, I will try to answer what would have been the GDP's implications - as it comes into force in two months. For the purposes of the discussion, I will consider Facebook as an international body, who has to comply with the GDPR under the broad definition of the liability.
The main scandal revolves around Cambridge Analytica – a company owned by the hedge fund billionaire Robert Mercer, which harvested millions of Facebook profiles of US voters, in one of the tech giant’s biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box.
What are the implications in the GDPR Area?
Facebook is indeed the data controller and has started a GDPR program . Some would consider that a dual-use technology scenario - Facebook is a social network and it couldn't be responsible for such a misuse, since access to personal data is intrinsic in a social networks design.
But according to Facebook statement, by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.
Achieve GDPR compliance in days, not months through cogntive computing.
So, where did exactly Facebook fail?
Lawful Processing and Consent
Facebook is the data controller, and the GDPR makes it liable to its data - the controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
And of course, using this data to target voters is not, by any means, a lawful processing. Furthermore, political opinions are considered to be a special category (and deserve specific protection) by article 9 which requires a “freely given, specific, informed and unambiguous" consent.
Profiling and Data Monitoring
Article 4 states that data processing may be characterized as “profiling” when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person.
In our case (b) would be considered as a potential political preference of an individual (which also relates to the broader definition of PII, and even to a future preference).
The GDPR establishes its jurisdiction over non-EU controllers (such as Facebook) provided they are “monitoring the behavior of data subjects as far as their behavior takes places within the European Union.” Cambridge Analytica has breached a key GDPR requirement that restricts data subject monitoring when “individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors, and attitudes.”
Breach NotificationDocuments seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals. This is a clear breach of the GDPR's Data Security and Breach Notification Standards that states that a notification to the authority should be given without undue delay (Article 34) and, where feasible, not later than 72 hours after having become aware of it.” Facebook didn't have any reasonable justification not to disclose the breach (or data misuse) as soon as it found out about the incident.
(Enforcement officers working for the ICO investigating Cambridge Analytica in the UK)
Facebook would have faced the higher penalty bar, which is to €20 million or 4% of the company’s global annual turnover.
• Because of the infringement of the basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data. Even though It didn't actively transfer personal data to an entity in a third country or an international organization