Lessons from the Cambridge Analytica issues – and the need to prepare for the General Data Protection Regulation
If you have been following the news recently, you’ll no doubt have heard of “Cambridge Analytica” (CA). CA is alleged to have ‘mined’ information from Facebook users without consent and used it for various purposes.
Personal data is a valuable commodity. It is especially valuable to those who know how to use it to learn about their clients' buying preferences or the political leanings of the voting public. That knowledge can then be used to influence commercial or political campaigns.
Under the Data Protection Act 1998, it is against the law to use a person’s personal data in this way without their consent. Personal data can only be used for specified purposes and what an organisation does with the information has to be in line with the reasonable expectations of the individuals concerned. The issues raised by the CA incident are a clear example of what can happen when the law is ignored.
UK businesses should, by now, be aware of the General Data Protection Regulation 2017 (GDPR) which will be in force on 25 May 2018. The GDPR will strengthen the UK’s data protection laws. Parties who misuse personal information could face serious consequences including fines.
What is Cambridge Analytica alleged to have done?
CA is a UK based, political consulting firm that specialises in obtaining and processing data for specific purposes for its clients.
In March 2018, a former employee of CA turned whistle-blower, alleged that CA had collated considerable data from Facebook users through a personality quiz. (This is sometimes calling ‘mining’ or ‘harvesting’.) The quiz (This is your Digital Life), was taken (willingly) by over 270,000 people. However, information was also taken from “friends” of the quiz takers – and they had not consented to its use.
This ‘mining’ amounts to a data protection breach – but not only that, the ex CA employee went on to say that the data mined was then sold on to CA. CA used the data to build personality profiles of the Facebook users which, in turn, helped CA to target the users with pro-Trump content. In this way, CA’s clients were able to influence the 2016 US presidential election.
The former employee has since claimed that he was collating the information for his own, academic reasons.
It is alleged that this non-consensual mining of information could amount to a breach of Facebook’s security systems; that Facebook had known about this breach for a couple of years and that no action was taken to protect Facebook users from these security breaches.
The consequences of these allegations are now echoing back and forth across the Atlantic. CA has suspended their boss, Alexander Nix, and Facebook owner, Mark Zuckerberg, has made statements about the allegations.
What information is collected and why is it useful?
If you use social media sites, you should be aware that:
- users of social media sites like Facebook, without realising it, give away a substantial amount of information about themselves when engaging in social media;
- it is possible to learn about a user’s personality and preferences just from what they look at and read on the internet and how they behave consequently;
- armed with this information, very specific content, goods and services can be targeted at that user – and can even be fashioned to reflect the right tone according to the recipient’s personality profile.
Online surveys, like the “This is your Digital Life“ quiz in the CA scenario, are a particular method of mining information. You might think you are doing a fun survey in your own time – but your answers are giving away a lot of information. And by engaging in the quiz, you are effectively consenting to give the information.
Subscribe to our newsletterPlease note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.
This blog was posted some time ago and its contents may now be out of date. For the latest legal position relating to these issues, get in touch with the author - or make an enquiry now.