In a global age of technology, we are using more online platforms to assist with many aspects of our everyday lives, whether for ordering our weekly grocery shop online, or taking advantage of social media to interact and share our lives with other online users. We are, as a result, placing a greater reliance on online platforms to protect the use of our personal data. The recent Facebook-Cambridge Analytica scandal is a stark reminder of the potential for misuse of our personal data and the need for stringent data protection laws in order to protect our privacy.

So what happened in the Facebook-Cambridge Analytica scandal?

Cambridge Analytica obtained personal data through a Facebook application called 'thisisyourdigitalage', which was developed by Cambridge University academic Aleksandr Kogan's company, Global Science Research. The users of this app consented to have their data collected and completed a personality test. However, the app did not only collect personal information from the approximate 270,000 users who took the survey, but also from the users' online Facebook friends. The data of the users and their online Facebook friends was sold to Cambridge Analytica, which is a UK based consultancy firm which harvests and analyses personal data for political campaigns. Facebook's "Platform Policy" permitted the collection of friends' data to improve user experience of apps, but it did not allow for the data to be sold or used for advertising.

From the personal information that Cambridge Analytica acquired, it is alleged that the company was able to profile and target voters during recent political campaigns, including Donald Trump's presidential election and the UK's Brexit referendum. Facebook has reported that the data of up to 87 million people was improperly shared with Cambridge Analytica and, of this total number, it has been suggested that 1.1 million Facebook users in the UK may have been affected. The question inevitably arises as to whether any data protection laws have been breached in the UK.

Data Protection Act 1998

The current data protection law in the UK is regulated by the Data Protection Act 1998. Under this Act, Facebook is the Data Controller and therefore must adhere to data protection principles including, for example, data must be processed fairly and lawfully and the data must be obtained for specified lawful purposes and not further processed in a manner which is incompatible with those purposes. In this context, Facebook could be liable for failing to protect their users' data and for allowing Cambridge Analytica to use the data without consent.

The UK Information Commissioner's Office is currently investigating Facebook and Cambridge Analytica, along with numerous other organisations, in relation to how personal data has been used for political campaigns and social media companies. The ICO has the authority to impose a maximum fine of £500,000, but this threshold will be significantly increased with the implementation of the GDPR.

GDPR

As of 25 May 2018, more rigorous data protection laws will apply to organisations dealing with personal data. The GDPR will require organisations to obtain their users' affirmative consents, with opt-out schemes no longer being an acceptable form of consent and users will instead have to unambiguously opt-in to provide consent. The underlying premise behind the GDPR is for affirmative informed consent to be freely given by individuals.

A notable feature of the GDPR will be the enforcement against breaches of the regulations. Fines imposed can include the higher of up to 4% of an organisation's annual global turnover or up to €20 million. Although the GDPR will not have retrospective effect, it is important to note that Facebook's annual revenue amounts to billions of dollars and, as a result, the GDPR regime has the potential to set unprecedented levels of fines should there by any further breaches of data following its implementation.

It has also emerged that Facebook were aware of Cambridge Analytica harvesting personal information two and a half years ago, but they did not prevent the misuse of the data. Under the GDPR, data processors will have a duty to notify a data controller without delay and, in turn, data controllers must report breaches to their supervisory authority (where feasible within 72 hours of awareness), and in some cases must also report the breach to the affected data subjects.

A word of warning

It is evident that Facebook will need to be more careful in the future as to how it not only deals with their data-harvesting operations, but also how it generally processes their users' data. The consequences for any future data breaches could be dire.

Facebook has recently updated its data policy, but this scandal should act as a wakeup call for online platforms, along with all data processing organisations, to review their data protection procedures, if they have not already done so, ahead of the GDPR's imminent implementation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.