News & Insight
Dan Pearson talks about Facebook, data and GDPR
ow. Just wow. If you ever needed a good example of why data protection laws are important, I believe you have it.
Unless you switched off all media over the last few days, you are most likely to have heard or read that a whistle-blower has come forward with a massive case of potential data misuse that could have influenced world events such as the US election and the Brexit vote in 2016. It has been alleged that a company called Cambridge Analytica has been involved in the unauthorised harvesting of millions of individuals’ personal data from Facebook. The suggestion is that this personal data has been used to then target individuals with political messages designed to encourage voting in a particular way.
The personal data was harvested using a Facebook app called “thisisyourdigitallife”. A hundred thousand or so Facebook users were paid to take a personality test via the app and they consented to have their data processed for research purposes. Right from the start, it sounds like the consent mechanism for these individuals was invalid as the purpose was not correctly disclosed. But more to the point, it is alleged that the app did not just collate the personal data of the users who signed-up to take the personality test, it accessed the profiles of every single one of their Facebook friends.
This amounted to in excess of 50 million individual Facebook profiles being accessed, of which at best about one hundred thousand may have provided some limited insufficient consent for processing. Whether considering the test for valid consent under the Data Protection Act 1998 or the stricter standard imposed by the upcoming GDPR, defence counsel for Cambridge Analytica have got their work cut out when seeking to provide a lawful basis for the processing of this personal data.
Outside of the massive political implications, which of course will be revealed as the investigations continue, it is really interesting to see that the Information Commissioners Office have quashed Facebook’s investigation and sought a warrant from the courts to access the offices and systems of Cambridge Analytica. With the GDPR implementation date just around the corner, are we seeing an early show of strength from the ICO in the enforcement of data protection law in the UK going forwards?