Data Protection has recently come back into the public consciousness in a way it hasn’t done since the Talk Talk breach, and unusually it’s not for a security breach but a breach of legal processing, which rarely captures the public’s attention. Let’s look in detail where it went wrong in relation to the Data Protection Act and the upcoming General Data Protection Regulation.
Cambridge Analytica (CA) were in breach of Principle 1 of the Data Protection Act (DPA) due to not having a legal basis for processing. CA may insist that they had the consent of the data subjects, however this consent was clearly not informed and freely given considering that users thought it was for a fun personality quiz called ‘thisisyourdigitallife’. If the quiz’s fair processing notice had followed the ICO’s guidance the user would have real choice and control (and for this you need to be informed), a positive opt in such as a tick box (especially for sharing with third parties such as CA), have named any third parties who may receive the information (meaning CA should have been specifically named), and the consent should be freely given by the data subjects.
This is a trend in apps, especially third party apps which link to social media, that their fair processing notices are not appropriately transparent and often don’t come close to the standards of the DPA and the ICO’s recommendations. Under GDPR the requirements written into legislation are more specific, and so it will be easier to prosecute those who are clearly being vague in order to gain consent. In the instance of CA this shouldn’t be a problem for prosecution as the end use is so distant from those initially stated, that it breaches Principle Two of the DPA - i.e. that organisations must detail specifically why they need the data, and must not process it further for different purposes. Not only did ‘thisisyourdigitallife’ not have an appropriate condition for processing, as their consent wasn’t compliant, the data was also sent to an undisclosed third party (CA) for a completely separate purpose from Aleksandr Kogan and Global Science Research.
To add insult to injury, data subjects were not just providing ‘consent’ for their data to be processed, they were giving consent for some of their friends as well. As people can’t give consent on behalf of others (unless they are legally responsible for them), this is also a breach of Principle One. it is clear that the majority of the data was collected from scraping users' friends' profiles, as only 270,000 people took the quiz but data was collected from around 5 million individuals via the quiz's functionality which also looked at friend's profiles. Some may argue that as their friend’s privacy settings were not set to private, that these people were open for having their data scraped. This may be true on an open platform like Twitter, but most people on Facebook who have ‘open’ profiles have done so by mistake, due to the nature of Facebook's default settings. It is public largely by accident, not on purpose. This brings the Right to Privacy in the Human Rights Act into play if it were brought to court, on top of the other transgressions.
Direct Marketing is defined in the DPA as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”, this doesn’t only cover selling items, but the marketing of ideals and covers political campaigns. Although highly targeted campaigns through Facebook and other social media sites have not yet come into scope from the ICO and other legislators as direct marketing, the more personalised it gets, the more likely it is to come into scope. Technically if the definition is taken at face value, these types of adverts should already be in scope. Once marketing and advertising is defined as direct marketing it comes under much more stringent governance processes, which arguably the issues with data usage by CA have shown to be necessary.
In breach of Principle Five of the DPA, retaining data for longer than the purposes you obtained it for, CA have held onto the data from the Facebook, who here are the original Data Controller, after they had been told to delete the data, and after they have confirmed they had done so. Attempting to get a streak of as many of the 8 Data Protection Principles contravened as possible, there is also a case that Principle Four ‘Personal data shall be accurate’ has also been contravened, with their assertion that they put forward knowingly inaccurate smear campaigns (discovered through the Channel 4 sting). However the slander and libel laws are much better established for this purpose, and so it is unlikely a Principle Four contravention will be pursued as much as the others.
Under the DPA, considering they are prosecuted under this and not the GDPR, they will be in contravention of Section 55 of the DPA, especially as they did not have the consent of Facebook:
“A person must not knowingly or recklessly, without the consent of the data controller--
(a)obtain or disclose personal data or the information contained in personal data, or
(b)procure the disclosure to another person of the information contained in personal data”.
This is a criminal offence which can attract a personal fine as well as a fine for the person’s company, however it is much more likely that only the company will be pursued, rather than individuals. Data subjects could also press for damages for causing distress on top of the personal and company fines, with potentially five million data subjects with a legitimate case.
Considering their contraventions, the ICO are interested in CA and their practices. CA have been given a deadline to respond to the ICO’s request for access to their servers, a request which passed with no access given. The ICO are now having to apply for a warrant to access these servers, the delay in being able to raid will no doubt hinder the investigation significantly, but the evidence will also be on Facebook and so they won’t be able to scrub the evidence of wrong doing away, only attempt to defend it.
Overall, it has been a catalogue of errors, with CA seemingly ignoring any legislation which protects people’s privacy in order to reach their desired goal.