The most recent scandal concerning Facebook was been the collection and use of the users’ personal data by a third-party company: Cambridge Analytica.

Facebook is one of the most used social networks worldwide. However, it has been facing several challenges regarding its practices relating to the protection of personal data (ex: fined in Spain, fake news…).

Personal data can be defined as any information relating to an identified or identifiable individual. In most countries, personal data benefits from a specific protection. This is namely the case in the United-States and in the European Union.

Mathias Avocats draws an overview of this case and explains the issue it has brought for privacy.

What happened?

Cambridge Analytica is a British consulting firm combining data mining, data brokerage and data analysis with strategic communication for commercial or electoral processes. Since 2014, it has namely provided psychological tests on Facebook with the application thisisyourdigitallife. It must be underlined that personal data of the user taking the test as well as his or her friends were harvested by the firm.

A whistle-blower revealed that Cambridge Analytica used the personal data gathered to build a system which could profile individuals and better target their preferences (commercial or political). However, the takers of the test, the users and their friends were not necessarily informed of this profiling. The psychological tests were presented as such and nothing was said concerning profiling. This led to a collecting of personal data of 87 million people from across the globe.

The scope of the data collected by Cambridge Analytica is still unclear. The firm did not only use the information available on Facebook (ex: name, location, pages liked…). Indeed, it also had access to other databases or sources of information. What personal data has been collected? How did Cambridge Analytica have access to them?

Why is it an issue for privacy?

As previously stated, the processing of personal data is regulated. Data subjects must be informed of the processing activity (ex: the data processed, the identity of the person processing the data, the companies/individuals having access to the data, the purpose of the processing…). Furthermore, the personal data must be adequately protected namely from unauthorised disclosure, access or use.

Cambridge Analytica did not provide information about the commercial or political profiling. It did not indicate that this could lead to different marketing techniques. The lack of information is a violation of the data subjects’ right to information. Without adequate information, how can data subjects consent to the processing? How can they exercise their rights?

Moreover, Cambridge Analytica accessed the user’s friends without authorisation. This is a personal data breach. What measures could have been implemented to avoid unauthorised access? What steps will be taken to remedy this breach?

In a few words, the main issues are transparency, security and the rights of data subjects. Data subjects should have been clearly and simply informed of the personal data processing activities taking place. Their data should have been adequately protected from any unauthorised access or use.

What impact did this profiling have in practice? Have voters been under an incentive to vote a certain way? What commercial profiles have been drawn? What information does Cambridge Analytica hold? Will it delete all profiles? What means of security will be implemented by Facebook? These questions have yet to be answered.

What will happen next?

The Federal Trade Commission (FTC) opened an investigation regarding Facebook’s privacy practices. It is namely seeking to determine whether Facebook violated a consent decree with the FTC. If this were the case, the company could be fined up to $40,000 per violation.

Facebook’s Chief Executive Officer, Mark Zuckerberg, has been heard in both the Senate and the House of Commons on the Cambridge Analytica case. He has taken full responsibility for the events which occurred and denies any prior knowledge of these activities. It remains to be seen what steps Congress will take.

Facebook has suspended Camrbidge Anlaytica from its website. However, this does remedy the unauthorised profiling of Facebook users taking the test and their friends. A similar case has occurred with the company CubeYou which collected users’ personal data through quizzes. The users did not consent to their personal data being disclosed to third-party marketers. Facebook has also suspended Cubeyou.

Following these events, Cambridge Analytica issued a statement beginning of May in which it declares its decision to commence insolvency proceedings and the closing of its offices. Despite the bankruptcy proceedings, it intends to meet its obligations to its employees. It remains to be seen what impacts Cambridge Analytica’s decision will have on the data collected through Facebook.

It must furthermore be stressed that the Information Commissioner’s Office (ICO) declared that it will continue “its civil and criminal investigations and will seek to pursue individuals and directors, as appropriate and necessary even where companies may no longer be operating”. This declaration directly refers to Cambridge Analytica which has been under ICO’s investigation since March 2018.

Mathias Avocats will keep you informed of any further developments.