Could GDPR Have Averted Facebook's Data Debacle?
I’ve dug a little deeper with the help of Security Newsletter to get to the bottom of all this. And interestingly it’s shown exactly why we are affected globally by GDPR. The story goes that Cambridge University academic, Dr. Kogan, developed a Facebook personality quiz app (called 'thisisyourdigitallife') that collected data from some 270,000 app users on Facebook; and also collected their friends' data.
The user profiles were at least partly gathered through the process of 'turking' via Amazon’s Mechanical Turk. (This was new to me, and here’s how Amazon describes ‘MTurk’:
MTurk aims to make accessing human intelligence simple, scalable, and cost-effective. Businesses or developers needing tasks done (called Human Intelligence Tasks or “HITs”) can use the robust MTurk API to access thousands of high quality, global, on-demand Workers—and then programmatically integrate the results of that work directly into their business processes and systems. MTurk enables developers and businesses to achieve their goals more quickly and at a lower cost than was previously possible.
Turkers were paid $1 or $2 to install an app that would "download some information about you and your network … basic demographics and likes of categories, places, famous people, etc. from you and your friends."
A key element is that while it could be argued that the original turkers and anyone who installed Kogan's app had given implied consent to the collection of their personal data, their friends had certainly not; nor did anyone give permission for that personal data to be used in the presidential election via third-party, Cambridge Analytica.
Nevertheless, it is worth pointing out that Facebook, CA and Kogan all claim they have done nothing illegal, and it is only after the incident affected Facebook's financial performance that it began to take this seriously…
Interestingly, it could be claimed that GDPR would still fail as a regulation in this case because the users in question are all North American. Citizenship is not the criteria used to determine the application of GDPR. Residency is, though, and that makes it far more complicated for companies to determine which of the individual records they have are or are not covered by GDPR.
Under GDPR, responsibility is primarily with the data controller, and that responsibility cannot be off-loaded to the data processor. There is little doubt that Cambridge Analytica, as a UK company gathering and processing personal data from a firm (Facebook) that operates within the EU, would be considered liable under GDPR. Key to this would be the consent issue. It might be argued that by downloading and installing Kogan's app, users gave consent for their data to be used and shared; and that in allowing their data to be shared among friends on Facebook, the friends also gave consent.
GDPR though says that 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." It is unlikely that even the app downloaders were giving free and informed consent for their personal data to be profiled for political purposes in the U.S. presidential election.
At the end of the day, Facebook's liability under GDPR for the misuse of users' personal data by Cambridge Analytica will partly come down to an interpretation of whether the legislation covers non-EU subjects. If a single affected user was living in or passing through the EU at the time, there would be no ambiguity. Overall, though, there’s no doubt then that Facebook's processing and privacy practices fell short of that required by GDPR. These requirements do not rely on the nationality or residency of the data subject.
And it is this ‘focusing of minds’ on the important subject of personal data privacy that has already been a huge benefit of GDPR even before it comes into force on May 25. And for us marketing types, it should allow us to get the support and funding in our companies to collect, store and use data in a much more targeted and effective way going forward…
I’d love to hear your thoughts on GDPR and the Cambridge Analytica / Facebook debacle. Please comment below or email me at email@example.com. See you next month!