Would Facebook and Cambridge Analytica be in Breach of GDPR?
2.4.18 securityweek Privacy

The Cambridge Analytica (CA) and Facebook accusations over the U.S. 2016 presidential election campaign, and to a lesser extent between CA and the UK's Brexit VoteLeave campaign, are -- if proven true -- morally reprehensible. It is not immediately clear, however, whether they are legally reprehensible. The matter is currently under investigation on both sides of the Atlantic.

On March 26, both Apple and IBM called for more regulatory oversight on the use of personal data. "I'm personally not a big fan of regulation because sometimes regulation can have unexpected consequences to it, however I think this certain situation is so dire, and has become so large, that probably some well-crafted regulation is necessary," said Apple chief Tim Cook on March 24, 18.

"If you're going to use these technologies, you have to tell people you're doing that, and they should never be surprised," IBM chief executive Rometty said on March 26, 18. "(We have to let) people opt in and opt out, and be clear that ownership of the data does belong to the creator," he said.

GDPR - European Data ProtectionSuch regulatory oversight already exists in Europe under national data protection laws, and this will potenyially become global when the European General Data Protection Regulation (GDPR) comes into effect on May 25, 18. The question is whether Facebook and/or CA would have been in breach of GDPR were it already operational, and therefore whether GDPR will prevent any future repetitions of this sort.

"From Facebook's perspective," MacRoberts LLP senior partner David Flint told SecurityWeek, "the only good point is that the maximum fine under the [current UK] Data Protection Act is £500,000; after 25 May 18 it would be 4% of Facebook worldwide turnover ($40bn in 2017) -- a potential $1.6bn fine! That's before damages claims."

Cambridge Analytica is an offshoot or SCL, formerly Strategic Communications Laboratories (a private British behavioral research and strategic communication company); and was specifically formed to target the U.S. presidential elections.

The user profile collection

At this stage we have to stress that everything is just a combination of accusation and denial, with nothing yet proven in a court of law. Nevertheless, the accusation is that a Cambridge University academic, Dr. Aleksandr Kogan, developed a Facebook personality quiz app (called 'thisisyourdigitallife') that collected data from some 270,000 app users on Facebook; and also collected their friends' data. Kogan's firm was known as Global Science Research (GSR).

Concerns about the relationship between Facebook user data, GSR, CA, and the U.S. presidential election are not new. In December 2015, the Guardian reported, "Documents seen by the Guardian have uncovered longstanding ethical and privacy issues about the way academics hoovered up personal data by accessing a vast set of US Facebook profiles, in order to build sophisticated models of users' personalities without their knowledge."

The user profiles were at least partly gathered through the process of 'turking' via the Amazon service, the Mechanical Turk. GSR reportedly paid Turkers $1 or $2 to install an app that would "download some information about you and your network … basic demographics and likes of categories, places, famous people, etc. from you and your friends."

An important element of the evolving story is that while it could be argued that the original turkers and anyone who installed Kogan's app had given implied consent to the collection of their personal data, their friends had almost certainly not; nor it seems did anyone give permission for that personal data to be used for political purposes in the presidential election via a third-party, namely Cambridge Analytica.

The scandal

The scandal did not reach public proportions until March 18 following new reports from the New York Times and the Guardian, and a video interview between CA whistleblower Christopher Wylie and the Guardian. Wylie revealed that "personal information was taken without authorization in early 2014 to build a system that could profile individual US voters in order to target them with personalized political advertisements."

Public awareness was suddenly so high that Facebook -- the ultimate source of the user profiles -- saw an immediate and dramatic drop in its share value. Since March 16, Facebook has lost approximately $80 billion in value (at the time of writing), the FTC has announced an investigation into Facebook's privacy practices, Mark Zuckerberg, Facebook's co-founder and CEO, agreed to testify before Congress (but declined to appear in person before UK lawmakers), and the UK's data protection regulator (the Information Commissioner's Office) has raided CA's offices.

Incidentally, Facebook and CA are also included in an ongoing but lower profile investigation into possible manipulation of the Brexit referendum vote. Speaking before a UK parliamentary select committee this week, Wylie claimed that CA had been involved in the Brexit referendum and that, in his view, the result had been obtained by 'fraud' and 'cheating'.

Cambridge Analytica's alleged involvement in the U.S. election has been known since at least 2015. Facebook made some minor changes to its policies and requested that Kogan and CA delete all gathered user data. It says it believed that had happened -- but if Wylie's accusations are true, that could not have happened.

It is only in March 18, following the dramatic drop in share value, that Facebook has responded seriously. On March 16, Facebook VP and deputy general counsel Paul Grewel announced, "We are suspending SCL/Cambridge Analytica, [whistleblower] Wylie and Kogan from Facebook, pending further information." One day later he added, "Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked." The claim that 'everyone involved gave their consent' is open to debate.

On March 2, Facebook founder Mark Zuckerberg published a personal apology together with news that Facebook would dramatically rein in the amount of personal data that apps can collect. "We will reduce the data you give an app when you sign in -- to only your name, profile photo, and email address. We'll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data. And we'll have more changes to share in the next few days."

Nevertheless, two things stand-out. Facebook, CA and Aleksandr Kogan all claim they have done nothing illegal -- and it is only after the incident affected Facebook's bottom line that it has begun to take serious action. It is against this background that Tim Cook has called for "some well-crafted regulation".

GDPR

The EU's General Data Protection Regulation (GDPR) was drafted precisely to protect personal information from misuse. GDPR, is already enacted and due to come into force on May 25, 18. The question is whether this regulation would provide the future oversight called for by Apple and IBM.

"Absolutely," says Thycotic's chief security scientist Joseph Carson. "This is exactly why EU GDPR has been put in place to protect EU citizens' personal information and ensure that companies have explicit consent to use personal data. Let's think about this - if only the data breach (aka trust) had occurred after May 25th, 18, and if any of the 50 million impacted users had been EU citizens, Facebook would have been facing a potential whopping $1.6 billion financial penalty from the EU. I believe that would change Facebook's priority on ensuring data is not being misused. This is going to be an example on what could have been if GDPR was enforced."

It could be claimed that GDPR would still fail as a regulation because the impacted users are, ostensibly, all North American. "GDPR applies to the data for any EU resident," comments Nathan Wenzler, chief security strategist at AsTech. "For example, if a U.S. citizen was residing in an EU country, their data would be governed under GDPR when it goes into effect. Citizenship is not the criteria used to determine application of GDPR. Residency is, though, and that makes it far more complicated for companies to determine which of the individual records they have are or are not under the mandates of GDPR."

Dov Goldman, Vice President, Innovation and Alliances at Opus, is even more forthright. "The GDPR privacy rules do not protect non-EU citizens," he told SecurityWeek. "If Facebook can prove that the data released to Cambridge Analytica only contained PII of US persons, Facebook would likely not face any liability under GDPR. There are U.S. regulations that protect American's financial data, but not their personal data (PII), for now."

It's not that clear cut. While the common perception is that GDPR is designed to protect people within the EU (or perhaps the slightly larger European Economic Area), Recital 14 states: "The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data."

GDPR is principal-based legislation. Interpretation of the details will be left to the courts to decide, based on their understanding of the intent of the lawmakers. It is, therefore, not entirely clear at this stage whether 'whatever the nationality' means European nationality or global nationality.

David Flint has no doubts. "GDPR would apply (were it in force) to any processing of data carried out by Cambridge Analytica, even if only of US nationals, by virtue of Article 3.1 of the GDPR (Data Controller / Processor based in EU)," he told SecurityWeek. "Article 2 (processing by automated means) would also be relevant." In this view, GDPR is about the processing of personal data, not the nationality of the data subject.

Under GDPR, responsibility is primarily with the data controller, and that responsibility cannot be off-loaded to the data processor. "It is difficult to see how Facebook would not be considered as a Data Controller (or perhaps Controller in Common with Cambridge Analytica)," continued Flint, "given that it collected the data, and/or permitted CA to do so, provided the platform APIs which allowed the data collection and mining; and carried out automatic mass profiling."

There is little doubt that Cambridge Analytica, as a UK company gathering and processing personal data from a firm (Facebook) that operates within the EU would be considered liable under GDPR. Key to this would be the consent issue. It will be argued that by downloading and installing Kogan's app, users gave consent for their data to be used and shared; and that in allowing their data to be shared among friends on Facebook, the friends also gave consent.

This argument won't pass muster. GDPR says, "'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." It is unlikely that even the app downloaders were giving free and informed consent for their personal data to be profiled for political purposes in the U.S. presidential election.

As at least co-controllers with Cambridge Analytica, it is difficult then to see how Facebook would not also be drawn into the issue.

Will GDPR provide the regulation/oversight sought by Apple and IBM?

In the final analysis, Facebook's liability under GDPR for the misuse of users' personal data by Cambridge Analytica will partly come down to an interpretation of whether the legislation covers non-EU subjects. If a single affected user was living in or passing through the EU at the time, there would be no ambiguity. However, in the end, the interpretation will be done by the courts -- although it is worth noting that the European MEP who drove through GDPR as its rapporteur (Jan Philipp Albrecht) has made it clear that he sees GDPR as changing privacy practices throughout the world for all people.

Where there is little ambiguity, however, is that Facebook's processing and privacy practices fell short of that required by GDPR. These requirements do not rely on the nationality or residency of the data subject.

GDPR could well provide the basis of global oversight of large company privacy practices; but we may have to wait until the courts start to interpret the finer details. In the meantime, all companies should carefully consider what happens to the personal data they collect and share. It is possible that sharing or selling that data to a third-party not specified at the time of collection will prove a breach of GDPR.