Back to Blog

0 stars Article rating

Did Facebook And Cambridge Analytica Break The Data Protection Laws in UK?

If you have a Facebook account then you’ll be aware of the scandal engulfing Cambridge Analytica, the company accused of harvesting data from millions of profiles to help influence voters during the Brexit referendum and Donald Trump’s election campaign.   

While Facebook has publicly apologised for the breach, serious questions are now being asked about whether enough is being done to protect our personal data.

The introduction of new General Data Protection Regulations (GDPR) in May will bring more robust rules around its handling, but it is important that you know your rights online.

How Cambridge Analytica Works

Cambridge Analytica is a data mining company which gathers social media data to help target and influence voters for political campaigns. This may include, for example, compiling lists of Facebook users who have ‘liked’ or are friends with people who have ‘liked’ key terms relating to a particular campaign. Once gathered, this data would then be examined along with other publicly available information such as statistics on areas with particularly high or low levels of education, income or historical support for a political party.

Going further, Cambridge Analytica claims it can also conduct ‘psychometric analysis’ of people’s behaviour on social media to identify potential support. For example, it suggests that people who use language associated with introversion and suspicion of others may be more likely to support Brexit, while words relating to being outgoing and open to new experiences would suggest the opposite.

Why is our data so valuable?

Cambridge Analytica believes that social media activity is a better predictor of political participation than the more traditional surveys or polls.

The methods above are controversial but have been shown to be extremely effective in identifying the places where a political campaign can most successfully get its message out.

Have any data protection laws been breached?

The key question is whether Facebook users have given their consent and so very much depends on how Cambridge Analytica obtained the data.

Facebook is the ‘data controller’ and when it, and other social media companies, sell targeted advertising, they do not provide the data to political parties directly – they simply sell space on the profiles of their own users. Facebook would no doubt argue that this is anticipated by users who agree to their terms and conditions and know the ads are targeted.

Under the current Data Protection Act 1998, it is likely that the consent users provided for Facebook to use their data when initially signing up to the social media platform will be sufficient to cover its obligations – unless the data was stolen. If that was the case, Facebook could be liable for failing to have adequate measures in place to protect the data and Cambridge Analytica for using it without consent. 

If it could be proven that Facebook had unlawfully released data without the consent of its users then those affected could consider a group litigation or ‘class action.’ This happened to Talk Talk, which in 2015 was handed a £400,000 fine – the largest ever imposed by the Information Commissioner’s Office – for a data breach, but has never happened with a social media giant.


Will the new GDPR make a Difference?

The General Data Protection Regulations will require companies like Facebook to obtain more explicit ‘affirmative’ consent from its users. For example, this will mean you ticking a box to opt in rather than unticking one to opt out.

The current DPA does make a distinction between personal data and sensitive personal data, the latter being information which may be considered private and could be used in a discriminatory way so needs greater care. The GDPR will also add two new categories of sensitive personal data to cover DNA and biometric data, the latter of which includes physical, physiological or behavioural characteristics. This means that lists of how many people in a particular city or town have used certain words on social media could be in breach of the new data protection regime, even if there is no other identifying information.   

A recent Court of Appeal ruling (Google v. Vidal-Hall, 2015) found that the information generated when a person uses the internet could not be classed as anonymous as it included their IP address, websites they were visiting and even their rough geographic location. This decision, combined with the new GDPR, is likely to have implications for data analytics companies who collect and aggregate data on unique website visits, as they will no longer be able to say it is ‘anonymous’ data and does not fall within the data protection regime. 

Companies like Cambridge Analytica may argue that social media activity is already in the public domain, but using this with other data that may not be – and in a way that may not have been envisaged when consent was given – is where the argument may fall down.

How Will Data Protection Breaches be Punished?

The Information Commissioner’s Office (ICO) investigating the Cambridge Analytica scandal has the power to hand out maximum fines of £500,000. According to the Electoral Commission, Britain’s political parties spent £37.3 million on campaigning in the year before the 2015 general election. A fine in the tens of thousands, while unfortunate, is unlikely to deter campaigns from engaging in the practices that breach the DPA.

This will all change under the new GDPR which will allow fines of up to four per cent of a company’s annual worldwide turnover or 20 million Euros, whichever is higher. When deciding the penalty, the ICO will consider factors such as the nature, gravity and duration of the infringement.

What do you need to do?

This would be a good opportunity to review your privacy settings within your social network accounts. You need to be sure that you know what is visible and to whom. Social media networks regularly update these so it is a good practice to go in every 6 months to check if you are still displaying things that you want. There are many guides which can help with a few below:

Take a second to rate this article

Rate an article

Thank you!