A breach of trust
Dr David Haynes considers the Cambridge Analytica and Facebook scandal
By Dr David Haynes
There was widespread shock and, I suspect, a degree of manufactured outrage when news of the Cambridge Analytica scandal broke in The Observer in March 2018. It has been well known that personal data could be scraped from Facebook profiles for some time. Although access had recently been restricted, Facebook still makes APIs available to mine information from the network.
Facebook makes its money from digital advertising, which is also a lucrative source of income for those who own the click-through sites with eye-catching content. Much of that traffic comes from Facebook and other social media postings.
With the General Data Protection Regulation (GDPR) due to come into force on 25th May 2018, this raises a number of issues.
When people sign up to social media, it is as a platform to communicate with friends and associates. The conditions of service are not normally at the forefront of people’s minds when then sign up to it. This scandal has exposed what is clearly a case of personal data being repurposed without the knowledge or consent of the individuals concerned.
Under GDPR, consent has to be sought from individuals before their personal data can be processed, unless it is covered by another legal basis for data processing. It could be argued that contractual obligations may require use of personal data in order to fulfil a contract to provide services, however, consent probably takes priority in this case.
The consent will have to be informed, explicit, unambiguous and specific. This means that the individual has to be fully informed about what will be done with the data and they should have an opportunity to consent. The default is no consent, so the individual has to take a positive action such as ticking an opt-in box to signal that they are happy for the data to be processed in that way or used for that particular purpose.
Users have a right to be forgotten, so they can require a data processor such as Facebook to delete their record or part of the record. It is encouraging that Facebook has made a commitment to do this and it should also apply to data than has been sold on to other organizations.
Reporting data breaches
Data breaches will have to be reported promptly, first of all to the data protection authority of the EU country whose citizens are affected, and then to the individuals concerned, if the breach is likely to have a harmful effect. They will have to explain what measures they are taking to deal with the data breach and recommend actions that the affected individuals should take.
When personal data is passed on to third parties (and this can be legitimate), Facebook must have in place adequate safeguards and guarantees that the data they have passed on will have the same protections under GDPR as the data directly controlled by Facebook. They have said in the past, that they did not know that the data was being passed on, however they have also provided features to enable the scraping of data from user profiles.
U.S. v EU regulations
Regulation is a great thing because even the threat of regulation changes behaviour. It is difficult to decide what to make of Mark Zuckerberg’s assertion that he will cooperate with the U.S. Congress even if it leads to new regulation. One suggestion is that it is better to shape the regulation than to have it imposed on you. Social media providers have been very resistant to regulations in the United States that would afford its citizens similar privacy protections to those that are available to EU citizens.
The Cambridge Analytica scandal also raises issues of research ethics. It is astonishing that data gathered for research purposes could be so blatantly exploited for commercial purposes without the consent of the participants.
It is particularly troubling that friends and contacts of the original cohort involved in the study have been recruited into the database of targets for political campaigning. They will not have seen anything about the terms of the study and would not have been given the opportunity to give their consent.
This will damage the relationship between Facebook and the research community as well as undermining public trust in the research process - making it more difficult for bona fide researchers to go about their work.