The bulk of the recent stories about Cambridge Analytica, parent company SCL and their alleged ties to the Trump and Brexit campaigns was not news in itself: stories have been circulating for months about billionaires, political strategists and power-brokers joining forces with data scientists to target key demographics in both elections.
However, it is the link between those rumours and another highly plausible hypothesis: that data-hungry social networking giants may have (unwittingly or otherwise) facilitated third parties’ exploitation of our personal data (it being uncontroversial that they themselves continue to exploit it with our knowing consent), which has kept the headline-writers busy.
So what happened?
The tool in question, Facebook’s “Friends Permission” feature, is alleged to have allowed app developers to harvest not only the personal data of the app user (who gives their consent to this when they start using the app) but also the data of their wider network of “friends”. Whilst the “friends” had also given their consent to this, it was in general terms, buried in Facebook’s terms of service – so query whether that consent was valid at all. The feature was removed from Facebook in 2014, but not before a number of developers are said to have obtained vast stores of personal data relating to tens of millions of users. A tranche of this data appears to have been acquired by Cambridge Analytica and used for their campaigns targeted at voters in the US election and the Brexit referendum.
Facebook has commissioned a data audit into Kogan and Cambridge Analytica. Separately, the UK’s Information Commissioner has sought a warrant to enter Cambridge Analytica’s offices and conduct their own audit of the company’s systems and records.
What should I do?
The recent developments are extremely timely, as they come just over two months before the implementation date of the General Data Protection Regulation (“GDPR”), which will strengthen the regulations around how data can be processed. The Information Commissioner’s Office (ICO) has already flexed its muscles in respect of Cambridge Analytica, and we anticipate a thorough investigation. The possibility of penalties and/or prosecutions cannot be ruled out.
Those concerned about a knee-jerk reaction affecting the wider industry should take urgent legal advice on the compliance of their data gathering, processing and retention policies and procedures, and their rights and obligations should they receive an information notice from the ICO. The story also increases the chances of a backlash from the public against data collection and analytics. Data scientists, whose work is crucial for bioinformatics, medical research and disease control, as well as for financial and behavioural modelling, can mitigate the risk by ensuring they adopt best practice and demonstrate that they are doing so.
Our commercial technology and commercial disputes teams have considerable expertise in this area and can advise on GDPR compliance in general and on specific issues raised by the Cambridge Analytica story – please contact Gareth Dickson, James Boyle or Will Haig to discuss.