Cambridge Analytica has provoked international uproar for exploiting the data of millions to manipulate the US 2016 presidential election and the UK Brexit referendum, using data harvested from Facebook's mobile application, "Thisisyourdigitallife".
Facebook knew about the misuse years ago, requested the deletion of the data by Cambridge Analytica yet didn’t blacklist until recently. Facebook have terms of use for third parties and developers but it has had minimum security checks and controls.
Both Facebook and Cambridge Analytica have denied any wrongdoing.
From a compliance perspective, the app was launched in 2015 and so was covered by the Data Protection Act (DPA).
But if it were to be in use after 25 May 2018, then the General Data Protection Regulation (GDPR) would apply. Here's how both Cambridge Analytica and Facebook would be implicated.
Online identifiers and profiling
The DPA only covers personal data and sensitive data. But Cambridge Analytica used data to psychologically profile people and deliver a series of content to manipulate their beliefs and values. The GDPR will not allow businesses to profile people without their explicit permission. The regulation covers online identifiers, profiling data subjects, and other data you have.
Explicit consent
The application was developed by University of Cambridge academic Aleksandr Kogan who has no connections with Cambridge Analytica. As was common with apps and games in 2015, the application was designed to harvest not only the user data of the person taking part in the quiz, but also the data of their friends.
Facebook has since changed the amount of data that developers can scrape in this way. However, the General Data Protection Regulation puts responsibility on both the controller and processor. In this case, Facebook would have a responsibility to protect the data subjects and be transparent and explicit about how the data is to be used.
Want to learn more about GDPR? Join our upcoming workshop
Time it takes to report a breach
Cambridge Analytica has been withholding information. Under the DPA, breach notifications are not mandatory. The business can decide who and what they report to the ICO. However, under the GDPR, breach notifications are mandatory and must be made within 72 hours or face huge fines. Penalties for breaches of the GDPR are substantial - sharing personal information and using it beyond the stated purpose will incur a €20 million or 4% of global turnover fine.
Time to get your data policies up to the mark!
Prepare for the regulation, get template policies, and ask questions by joining our GDPR workshop. Click here to learn more.
Alternatively, download our GDPR toolkit.
Share your thoughts on this article