Cambridge Analytica's alleged misuse of Facebook users' data is the perfect example of conduct that will not be tolerated under the EU's new General Data Protection Regulation, which comes into force on 25 May. Make sure your organisation does not fall foul of GDPR.
What did Facebook/CA actually do?
It’s alleged that Cambridge Analytica (a data analytics company) acquired personal data that had been harvested from some 50M Facebook users in the US and the UK, which was then used to help Trump win votes and become president of the US. If true, this is just plain wrong on so many levels! The media is having a feeding frenzy, Facebook shares have plummeted by more than 18% (c.$80 billion in terms of market value!), Zuckerberg has been called to testify before US Congress and a UK parliamentary committee, the UK Information Commissioner has raided CA’s London headquarters, and the public are asking how this could have ever been allowed to happen.
How was the data harvested?
The Guardian, the BBC and many other reliable news sources have reported that in 2014 around 270,000 Facebook users were asked to complete a quiz to define their personality type, which led to the data of around 50M users being collected and processed without consent. Christopher Wylie, an ex-CA employee, has alleged that the data was later acquired by CA and used to support the Trump campaign.
How would GDPR treat this sort of behaviour?
If the alleged behaviour had taken place after 25 May 2018, and it was clear that personal data from an EU Facebook user was collected and processed, it would not be hard to argue a breach of the core principles of GDPR, in particular Articles 5(1)(a) and (b). These state that personal data must be:
- processed lawfully, fairly and in a transparent manner (Article 5(1)(a)); and
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5(1)(b)).
Arguments could also be made that Articles 6 and 14 would be breached, which provide:
- personal data may only be processed where a data subject has given consent to the processing of its data for one or more specific purposes (Article 6(1)(a)) (or where one of the other grounds of lawful processing set out in Article 6(1) applies); and
- detailed information must be provided to a data subject where personal data is collected from someone other than the data subject, including details of the controller, the Data Protection Officer’s contact details, the purposes of processing, the recipients of the data, details of international transfers, and the right to be forgotten and to restrict processing (Article 14(1)).
If the allegations are true, strong arguments could also be made that Facebook/CA have actually breached current data protection laws (specifically, the UK Data Protection Act 1998 implementing EU Data Protection Directive 95/46/EC), which contain provisions which are very similar to those that I have cited above. I’ll be keeping a close eye on the outcome of the UK Information Commissioner’s recent raid and whether any charges are laid under existing laws.
What sanctions would Facebook/CA be subject to under GDPR?
GDPR introduces extremely strict sanctions for non-compliance which Facebook/CA would potentially be subject to, including fines for serious breaches of up to the higher of 4% of annual worldwide turnover or EUR 20M (Article 83(5)).
Further, individuals who suffered damage (material or non-material) as a result of the infringements would have the right, under Article 82, to receive compensation from Facebook/CA (and potentially others) for the damage suffered. The right to claim would extend to any “individual” affected by the infringement (i.e. it would not be limited to individuals in the UK, or even EU Facebook users) and would also cover non-material damage (e.g. emotional distress).
How can Alyne help you comply with GDPR?
Alyne provides the ideal tool for managing compliance with your obligations under GDPR, including:
- providing you with pre-set controls (which may be customised) for assessing, monitoring and reporting on your compliance with GDPR;
- leveraging GDPR controls to assess your organisation’s maturity in relation to GDPR requirements;
- conducting privacy impact assessments (required by Article 35) and setting up processing registers, using Alyne’ Funnels tool; and
- establishing and maintaining privacy risk management processes, including building mitigation plans.
Have a read of Karl’s GDPR blog post for more information on how Alyne can help you.