Insights + Resources

March 27, 2018

Cambridge Analytica & Facebook data harvesting controversy

It is reported that data from up to 60 million Facebook accounts has been unlawfully used by its’ data partner, Cambridge Analytica. Facebook shares have lost $100 billion in market value between 17 March 2018 and 27 March 2018. Facebook’s privacy practices are under investigation by the US Federal Trade Commission. Facebook denies legal culpability and claims the use of the account data was against its’ terms.

What is Cambridge Analytica?

Cambridge Analytica (‘CA’) are at the forefront of an international controversy after The Observer and Guardian newspapers revealed CA harvested and intentionally misused personal information from up to 60 million independent Facebook users, most of whom were registered US voters (‘data ‘harvesting’ controversy’). These stories cited the accounts of an internal whistleblower (Christopher Wylie).

CA is an international data analytics company that uses data to change audience behaviour through targeted communications.

CA achieves this through a “full-service” approach that provides tailored messages to audiences. The in-house resources of CA include:

  • Data analytics;
  • Psychological profiling;
  • Industry-standard creative teams; and
  • Media and communications teams.

Contrary to the common approach of ‘grandstanding’ audiences, CA’s modus operandi is to target specific entities with specific sets of information and messaging.

Why is CA in the news?

Following the publication of the data ‘harvesting’ controversy, footage from an undercover investigation run by Channel 4 in the UK was leaked. In this footage the (now suspended) CEO of CA, Dr Alexander Nix, made a selling point of the fact CA was willing to provide, and had in fact provided, results for clients through illegal means.

How did CA ‘harvest’ Facebook profiles?

CA used an algorithm that mapped personality traits based on the answers of respondents (i.e. whether someone was introverted/extroverted, conscientious, neurotic, as well as how satisfied they were with their life, and what their political views and broad interests were).

CA was interested in any available user information, including:

  • Names and locations;
  • Status updates, “Facebook likes”;
  • Relationship status;
  • and anything else displayed by user profiles.

CA used the data and algorithmic insights to target specific groups with personality-based political messaging to deliver results for its’ clients.

Facebook was aware CA had received the data in 2014 but in December 2015 sought certification from CA that the data had been destroyed.

Facebook has denied liability and pointed to CA’s actions as constituting a breach of its’ platform policy (which specifically prohibits commercial uses for friends’ data that is collected).

Direct Consequences for CA and Facebook

Cambridge Analytica

    • Under investigation in the US by the Department of Justice’s probe into Russian electoral interference.
    • Under investigation in the UK by:
    • The British Information Commissioner’s Office, who have already raided CA’s London offices; and

    • The Electoral Commission, regarding the results in the Brexit/EU referendum.

    • Intense media attention into CA’s practices, stakeholders and past actions (i.e. the possibility of numerous incidents of electoral tampering in countries such as Ukraine and Nigeria).


  • Facebook shares have lost $100 billion in market value between 17 March 2018 and 27 March 2018.[1]
  • Facebook’s privacy practices are under investigation by the Federal Trade Commission (‘FTC’). Due to a prior settlement between Facebook and the FTC, this could result in fines of US$40,000 for every user whose data was violated (i.e. US$40,000 x up to 60 million).
  • The Massachusetts Attorney General announced (over Twitter) that the state would be investigating Facebook’s role in the events.
  • US senators have called on Mark Zuckerberg to testify before Congress about how his company will protect users.
  • Members of Parliament in the UK have called on Mark Zuckerberg to give evidence regarding Facebook’s role in CA’s access to the data.
  • Chief law enforcement officers for 37 US states and territories are looking into the culpability of Facebook.
  • Intense consumer backlash and media scrutiny that have already forced Facebook to run advertisements in British and US newspapers apologising to users.
  • US and European advertisers are disassociating themselves with Facebook.

Broader impacts for data driven businesses 

These events have placed a spotlight on where the blame should rest when individuals’ data is misused.

Facebook denies legal culpability and claims CA’s actions were against its’ terms of service. However, this is not a view that is shared by global public sentiment, and all of the media and regulatory pressure on Facebook stems from the belief platform is still to blame.

The CA whistleblower’s account adds fuel to this fire. Relevantly, it outlines that, despite seeking certification CA had destroyed the data nearly 2 years after it was collected, Facebook effectively did nothing to actually check the data was not being misused.

How this saga plays out will be a good litmus test for how different jurisdictions and regulators will treat significant data breaches, and the extent to which they will see platforms as complicit or culpable in them.

Concluding remarks 

Compliance with privacy laws is getting increasing focus in Australia and overseas, and the stakes are getting larger.


The information above is general in nature. If you would like to learn more about data law, please contact us below.

Close Btn Created with Sketch.


Straight to your inbox on legal and business developments set to disrupt and transform.