Facebook scandal that allowed the data of 50 million users to fall into the hands of political consulting firm Cambridge Analytica (CA) is perhaps the biggest story of 2018 so far.
The breach is particularly relevant against the backdrop of the EU General Data Protection Regulation (GDPR) that comes into force on the 25 May this year.
The Facebook and CA scandal has had wide ranging repercussions, not least of which is the $50 billion hit (17%) on Facebook’s share price between 16 March and markets closing for Easter on 29 March.
That has also proven to be the trigger for a wider loss of investor confidence in ‘Big Tech’. The FAANG (Facebook, Apple, Amazon, Netflix and Google-parent Alphabet) stocks and wider technology sector have taken heavy losses over the past couple of weeks.
Having been the most influential positive driver of US equity markets last year, in 2018 they have been the biggest drag. Other factors, such as Trump’s public gripe with how much tax Amazon pays, have also had an influence.
However, the Cambridge Analytica scandal looks set to go down in history as a turning point in both the history of Facebook as a company and the attitude of regulators to the world’s “mega cap” technology companies.
The US Federal Trade Commission announced it has launched an investigation into Facebook data practises, and regulators may seek to place restrictions on how the company, and others which use a similar model, monetise data.
This, along with the #DeleteFacebook campaign that is resulting in millions of accounts on the social media platform being closed, threatens the company’s business model.
Data breach controversy
The Cambridge Analytica data privacy breach has provoked particular public ire due to the nature of the company and how the data was subsequently used. Profiles of 50 million Facebook users fell into Cambridge Analytica’s hands via a collaboration with Global Research Science (GSR), a commercial enterprise owned by Cambridge researcher Aleksandr Kogan.
Funded by Cambridge Analytica, GSR paid hundreds of thousands of users to take a personality test, with the agreement that the resulting data could be used as part of an academic study.
What was not divulged to these Facebook users was the fact that the personality test conducted through also gave GSR access to the data of all of their Facebook ‘friends’.
This harvesting of ‘friends’ data was against Facebook ‘Platform Policy’. As was the subsequent transfer of the data to Cambridge Analytica and commercial use of the, by then, data set consisting of tens of millions of user profiles.
Cambridge Analytica used the data to build an algorithmic system to profile individual US voters. These profiles were then used during President Trump’s 2016 election campaign, which hired the British company as a service provider.
Users were targeted with personalised political ads designed to, as explained by whistle-blower Christopher Wylie, exploit what we knew about them and target their inner demons’.
Facebook culpability is considered threefold – Firstly, the social media giant failed to have the necessary security procedures in place to prevent the GSR app from harvesting the profiles of users’ ‘friends’.
Secondly, the company did not ensure the personal data, which users agreed on to be used for ‘academic purposes’, was not controlled and subsequently destroyed.
And thirdly, that by late 2015 Facebook was aware of the data privacy breach but both failed to alert users or take any real actions to recover and secure the personal data of the 50 million plus users.
Facebook under GDPR
But how does the Facebook and Cambridge Analytica scandal relate directly to GDPR and why is it considered a ‘godsend’ for the EU new data protection regulation? It centres on Facebook collecting personal data far beyond what most users realise, often without explicit consent.
A recent article in Adweek details one user who downloaded a file of the data Facebook had gathered on him finding a detailed history of his telephone record. This contained two years of calls including numbers, names and the length of calls. This took advantage of Android granting permission to applications to access call logs.
Facebook’s statement of justification, as made to The Guardian newspaper through an official spokesperson, is that when its apps are first opened these permissions are requested. Facebook also stated in a subsequent blog post that users can turn off these permissions in their settings.
Within the context of GDPR, Facebook’s historic approach to how users give ‘permission’ to their data being gathered will be deemed insufficient. ‘Willing consent’ is not considered to be given by hitting ‘I Accept’ at the bottom of “long illegible terms and conditions full of legalese”.
Instead it must be “as easy to withdraw consent as it is to give it” and data collection permission must be provided in response to a direct and “intelligible” request for it.
GDPR also means users can always request to see data being held on them. They also have the right to, at any given time, request it is destroyed and/or handed over to them. At its core, GDPR is about Privacy by Design.
Users of any service that collects personal data must provide consent willingly and in full knowledge of how and to what purpose that data will be used.
The Facebook and Cambridge Analytica scandal has clearly strengthened the case for why GDPR is necessary and may well prove to help bolster public support and participation around its introductions.
It’s no longer just a ‘boring data law’. Crucially, the damage to Facebook brand and the viral spread of the #DeleteFacebook movement should provide a wake-up call to any digital services or marketers that questioned how much they would really have to worry about the introduction of GDPR.
It has demonstrated that regulatory action for infringements will entail huge damage to brand trust in addition to a fine of €20m or 4% of global turnover.
Privacy by Design and Data Exchange
GDPR means that companies must offer users a fair exchange in return for their data. They will have to be convinced that what they will receive in return is a deal they are ready to make.
The Facebook scandal will have brought this into sharper focus and mean other companies prepare better for GDPR. They will now understand they don’t own their customers’ data but are being allowed to use it temporarily in exchange for providing them with clear benefits.
Managed in the right way, this added incentive to companies to cater more to their clients’ needs should lead to a win-win situation and help GDPR get off to a flying start.