Allegations that data analysts may have misused the personal information of up to 87 million Facebook users has propelled the issue of data privacy into the limelight, just as the EU applies its tough new regime, the General Data Protection Regulations (GDPR).
In March, allegations emerged that data from Facebook users may have been illegally acquired by data analytics firm Cambridge Analytica and used for political purposes. Cambridge Analytica, as well as other data analysts, reportedly used data collected from an online survey developed by a researcher. The app legitimately collected data on the 300,000 people that took part in the survey, but it also harvested data from millions of other Facebook users.
Facebook says that it told Cambridge Analytica to delete the data in 2015, but whistleblowers say the consultancy continued to use the data for some time after. In 2012, Facebook reached an agreement with the Federal Trade Commission to obtain the consent of users before sharing their information beyond their privacy settings.
The fallout from the allegations has been widespread. The crisis saw Facebook shares fall almost 10% in the days after the news broke on March 17, wiping around USD 50 billion off the value of the company. The allegations also impacted other technology companies, with Twitter shares also falling by around 10%.
Facebook and Cambridge Analytica now face investigations by regulators in the US, UK and Australia over potential breaches of privacy law. The two companies also face class action lawsuits from users and investors. At the end of March, Facebook was reportedly fighting 16 lawsuits in the US.
The allegations against Facebook and Cambridge Analytica have raised questions around the adequacy of data privacy regulation in the US and Europe. While the EU can cite GDPR – due to be implemented across the EU from 25 May 2018 – the US has almost no privacy law at a federal level. While federal laws protect personal data on health, education and financial services, online services and social media are subject to a light touch regulation. The collection and use of data by websites and the Internet of Things is largely self-regulated.
Unsurprisingly, revelations about Facebook have led some to call for more stringent data privacy regulation in the US, with some commentators suggesting that the US could look to GDPR. However, given the political climate in the US, federal data privacy regulation is unlikely any time soon. However, some US states may act independently and tighten up their rules.
The alleged misuse of Facebook user data has raised awareness of the third party data market. While there are many genuine reasons for individuals and organizations to share personal data – such as for medical research – concerns have been growing for the security of such data and how it is being used by third parties.
The monetization of personal data has seen the emergence of a market to collect, analyze and sell personal data. Data collected by the likes of Facebook and other service providers is commonly used by third parties and organizations to direct advertising and messaging as well as provide companies with business insights.
In recent years, large data breaches have hit the headlines, but given the allegations against Facebook and Cambridge Analytica, the use of personal data is likely to become an area of growing interest for policy makers and regulators in future.
The UK’s Information Commissioner’s Office (ICO), for example, is already investigating 30 organizations (including Facebook) over the use of personal data and analytics by political campaigns, social media companies and other commercial entities. The European Commission also says that it will expand its investigation into the harvesting of personal data, warning that the Facebook case is probably not isolated.
Other companies are believed to have accessed the same data from the online survey app used by Cambridge Analytica. Facebook, for example, has since banned other data analytics firms that it suspects are sharing or selling users data with third parties. In early April it suspended data analytics firm CubeYou, which also ran online quizzes to gather data, as well as Canadian political consultancy AggregateIQ. Facebook also announced that it will shut its partner category service, which uses third party data to inform targeted advertising. The UK’s ICO had been investigating the service, which it says is a “significant area of concern”.
Privacy is likely to become an even more complex and emotive issue as organizations find more and more uses for existing and emergent technologies like biometrics or the Internet of Things. Such technologies may bring benefits for society and efficiencies and opportunities for business, but they will also come with risks.
For example, amid its privacy crisis, Facebook announced that it wants to use facial recognition technology to identify European users in photos and videos. However, the company already faces a class action lawsuit in California that alleges that the company gathered biometric information without users consent.
Privacy is also likely to emerge as an increasing area of liability under GDPR, which gives consumers far greater control over their data.
The new rules give EU consumers increased rights over how their personal data is used – for example, an individual can request that their data is deleted under the “right to be forgotten”. GDPR also places more responsibility on organizations to think about how they use and store data – for example, organizations can only collect data where there is a business case to do so.
Given that over two million European Facebook users are affected by the recent privacy issues, GDPR would more than likely have come into play had the incident happened after May 2018. GDPR does not apply retroactively, but commentators have suggested that Facebook theoretically would have faced a USD 1 billion fine under the new rules, where the maximum penalty is up to 4% of a company’s annual global revenue.
Soon after news of the Facebook crisis broke, Andrea Jelinek, chair of an umbrella group representing EU privacy regulators, says that companies that fall foul of GDPR should not expect leniency.
For more information on cyber insurance, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com