It is reported that data from up to 60 million Facebook accounts has been unlawfully used by its’ data partner, Cambridge Analytica. Facebook shares have lost $100 billion in market value between 17 March 2018 and 27 March 2018. Facebook’s privacy practices are under investigation by the US Federal Trade Commission. Facebook denies legal culpability and claims the use of the account data was against its’ terms.
Cambridge Analytica (‘CA’) are at the forefront of an international controversy after The Observer and Guardian newspapers revealed CA harvested and intentionally misused personal information from up to 60 million independent Facebook users, most of whom were registered US voters (‘data ‘harvesting’ controversy’). These stories cited the accounts of an internal whistleblower (Christopher Wylie).
CA is an international data analytics company that uses data to change audience behaviour through targeted communications.
CA achieves this through a “full-service” approach that provides tailored messages to audiences. The in-house resources of CA include:
Contrary to the common approach of ‘grandstanding’ audiences, CA’s modus operandi is to target specific entities with specific sets of information and messaging.
Following the publication of the data ‘harvesting’ controversy, footage from an undercover investigation run by Channel 4 in the UK was leaked. In this footage the (now suspended) CEO of CA, Dr Alexander Nix, made a selling point of the fact CA was willing to provide, and had in fact provided, results for clients through illegal means.
CA used an algorithm that mapped personality traits based on the answers of respondents (i.e. whether someone was introverted/extroverted, conscientious, neurotic, as well as how satisfied they were with their life, and what their political views and broad interests were).
CA was interested in any available user information, including:
CA used the data and algorithmic insights to target specific groups with personality-based political messaging to deliver results for its’ clients.
Facebook was aware CA had received the data in 2014 but in December 2015 sought certification from CA that the data had been destroyed.
Facebook has denied liability and pointed to CA’s actions as constituting a breach of its’ platform policy (which specifically prohibits commercial uses for friends’ data that is collected).
The British Information Commissioner’s Office, who have already raided CA’s London offices; and
The Electoral Commission, regarding the results in the Brexit/EU referendum.
These events have placed a spotlight on where the blame should rest when individuals’ data is misused.
Facebook denies legal culpability and claims CA’s actions were against its’ terms of service. However, this is not a view that is shared by global public sentiment, and all of the media and regulatory pressure on Facebook stems from the belief platform is still to blame.
The CA whistleblower’s account adds fuel to this fire. Relevantly, it outlines that, despite seeking certification CA had destroyed the data nearly 2 years after it was collected, Facebook effectively did nothing to actually check the data was not being misused.
How this saga plays out will be a good litmus test for how different jurisdictions and regulators will treat significant data breaches, and the extent to which they will see platforms as complicit or culpable in them.
Compliance with privacy laws is getting increasing focus in Australia and overseas, and the stakes are getting larger.
The information above is general in nature. If you would like to learn more about data law, please contact us below.