Could GDPR Have Averted Facebook's Data Debacle?
Welcome to my monthly column series, Around the World, where we will explore what’s new in marketing and sales from a global perspective. This column will focus primarily on technology innovations and the impact they are making in helping companies achieve their growth objectives.
Note: I intentionally include both marketing and sales innovations. The reason is most effective organizations employ collaborative marketing and sales teams who work together to achieve shared goals. Companies can no longer afford to separate these two symbiotic areas of the business. Clearly, we have a long way to go to make this a universal reality, but we are moving in that direction.
The ROI of GDPR
Starting next month, I serve up short Q&A sessions with innovative people who are making an impact in the marketing and sales industry. This will create an interesting flow of perspectives and experiences from around the world. The purpose of this column is to be a source of useful and inspiring information for you, my readers. But I also want this to be an interactive forum where you share your reactions and experiences so we are learning from each other.
Let’s get started with a look at GDPR, which will have global ramifications in how marketers and salespeople handle personal data. This new European regulation that begins on May 25 is causing many to complain about increased regulations and the cost it is going to have for businesses. I view GDPR differently. These new regulations are actually exactly what we as individuals expect and demand from companies in how they treat our personal data they have extracted over time.
From my perspective, I like what GDPR offers. I want to share my data with companies to receive a better service, be rewarded for my loyalty and be treated ethically, knowing that my data is safe and secure. In fact, I’d like to go further and have ‘a right to be remembered!’ For instance, it’s so boring and time-consuming to have to complete the same forms for the same company you fly with each time, rent cars from or hotels you visit. As consumers we want these entities to retain the data we have provided about our preferences and use it in the future.
We all want to be treated like trusted members of the family. Imagine being greeted by the Italian restaurant owner who impresses your guests as he ushers you and your guests to your favorite table in a restaurant! You feel special. The evening gets off to a great start and sets the tone for a great customer experience. This is all because the owner took the time to get to know you and your preferences before you stepped inside his restaurant.
One of the main benefits of GDPR is the fact that there are huge powers (and corresponding fines of 4% of revenue in each country affected), which will make large companies sit up and take notice about this important issue. And it’s really the big companies who have handled our data in an appallingly way. Just in recent weeks, we’ve seen millions of records hacked or misused by Facebook/Cambridge Analytica, Uber and Under Armour; the latter at least reacting quickly to confirm their data breach, rather than the normal corporate procedure of trying to brush things under the carpet as VW did with the dieselgate scandal - with unbelievable corporate arrogance. Shame on VW.
GDPR's Potential Impact on Facebook Debacle
So if GDPR had been in place, for instance, could it have affected the recent Facebook crisis?
I’ve dug a little deeper with the help of Security Newsletter to get to the bottom of all this. And interestingly it’s shown exactly why we are affected globally by GDPR. The story goes that Cambridge University academic, Dr. Kogan, developed a Facebook personality quiz app (called 'thisisyourdigitallife') that collected data from some 270,000 app users on Facebook; and also collected their friends' data.
The user profiles were at least partly gathered through the process of 'turking' via Amazon’s Mechanical Turk. (This was new to me, and here’s how Amazon describes ‘MTurk’:
MTurk aims to make accessing human intelligence simple, scalable, and cost-effective. Businesses or developers needing tasks done (called Human Intelligence Tasks or “HITs”) can use the robust MTurk API to access thousands of high quality, global, on-demand Workers—and then programmatically integrate the results of that work directly into their business processes and systems. MTurk enables developers and businesses to achieve their goals more quickly and at a lower cost than was previously possible.
Turkers were paid $1 or $2 to install an app that would "download some information about you and your network … basic demographics and likes of categories, places, famous people, etc. from you and your friends."
A key element is that while it could be argued that the original turkers and anyone who installed Kogan's app had given implied consent to the collection of their personal data, their friends had certainly not; nor did anyone give permission for that personal data to be used in the presidential election via third-party, Cambridge Analytica.
Nevertheless, it is worth pointing out that Facebook, CA and Kogan all claim they have done nothing illegal, and it is only after the incident affected Facebook's financial performance that it began to take this seriously…
Interestingly, it could be claimed that GDPR would still fail as a regulation in this case because the users in question are all North American. Citizenship is not the criteria used to determine the application of GDPR. Residency is, though, and that makes it far more complicated for companies to determine which of the individual records they have are or are not covered by GDPR.
Under GDPR, responsibility is primarily with the data controller, and that responsibility cannot be off-loaded to the data processor. There is little doubt that Cambridge Analytica, as a UK company gathering and processing personal data from a firm (Facebook) that operates within the EU, would be considered liable under GDPR. Key to this would be the consent issue. It might be argued that by downloading and installing Kogan's app, users gave consent for their data to be used and shared; and that in allowing their data to be shared among friends on Facebook, the friends also gave consent.
GDPR though says that 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." It is unlikely that even the app downloaders were giving free and informed consent for their personal data to be profiled for political purposes in the U.S. presidential election.
At the end of the day, Facebook's liability under GDPR for the misuse of users' personal data by Cambridge Analytica will partly come down to an interpretation of whether the legislation covers non-EU subjects. If a single affected user was living in or passing through the EU at the time, there would be no ambiguity. Overall, though, there’s no doubt then that Facebook's processing and privacy practices fell short of that required by GDPR. These requirements do not rely on the nationality or residency of the data subject.
And it is this ‘focusing of minds’ on the important subject of personal data privacy that has already been a huge benefit of GDPR even before it comes into force on May 25. And for us marketing types, it should allow us to get the support and funding in our companies to collect, store and use data in a much more targeted and effective way going forward…
I’d love to hear your thoughts on GDPR and the Cambridge Analytica / Facebook debacle. Please comment below or email me at email@example.com. See you next month!