Legal & Government Affairs Update Issue 2 - 2018
Cambridge Analytica and Facebook face outrage over data breach
On 17 March, the Observer revealed that Cambridge Analytica (CA), a data analytics company with links to Donald Trump and the pro-Brexit campaign, was responsible for harvesting personal information on around 50 million Facebook users without their consent. This major data breach was said to have occurred in 2014 and has caused widespread condemnation of both CA and Facebook from members of the US and UK governments, raising serious concerns about data protection and the regulation of social media platforms.
According to whistle-blower Christopher Wylie, CA collaborated with a company called Global Science Research (GSR) to set up an app hosted on Facebook's website. The app was seemingly set up to collect the answers of Americans taking a paid personality test. However, unknown to the takers of the test, the app also collected data on their Facebook friends. This information was then used by CA to build data analytics models to, as Wyle told the Observer, "exploit what we knew about them and target their inner demons." Suggestions have been made that these models may have been put to use in the 2016 US Presidential election, although CA have stated that none of the data was used for this.
The company had denied allegations of wrongdoing in a statement, saying “In 2014 we received Facebook data and derivatives of Facebook data from another company, GSR, that we engaged in good faith to legally supply data for research. After it subsequently became known that GSR had broken its contract with Cambridge Analytica because it had not adhered to data protection regulation, Cambridge Analytica deleted all the Facebook data and derivatives, in cooperation with Facebook."
The collection of this data is specifically against Facebook's "platform policy", which only allows data on friends to be collected to improve user experience. The policy also barred data from being sold or used for advertising. The Observer reported that Facebook became aware of the scale of information harvesting by CA in 2015, but failed to inform users. Facebook has stated that it removed the app once it became aware and demanded that all the data was destroyed. It is now investigating whether this was done properly. Facebook denies that this is a data breach and has suspended CA and its affiliates from its site.
The news has prompted strong criticism and investigations from members of the US and UK governments. In the US, Democrat senator Mark Warner has called for Congress to improve the regulation of political advertising online and Adam Schiff, who sits on the House intelligence committee, has joined calls for both companies to provide answers. An investigation into the breach has already been announced by Massachusetts Attorney General Maura Healey.
In the UK, Conservative MP Damian Collins, chair of the Commons digital, culture, media and sport select committee has already said he's planning on calling for testimony from the head of CA, Alexander Nix, and Facebook CEO Mark Zuckerberg. In February, Nix told a parliamentary inquiry that CA did not use private Facebook data. Speaking to the Observer, Collins said “Data has been taken from Facebook users without their consent, and was then processed by a third party and used to support their campaigns. Facebook knew about this, and the involvement of Cambridge Analytica with it.” The Information Commissioner's Office is currently seeking a warrant to investigation CA further.
Readers will appreciate that there is still much to be uncovered in this story but if Christopher Wylie's allegations are true, it would appear that the personal data of millions of people has been harvested without their consent, in violation of well-established data protection principles. A strong response from the regulatory authorities is almost inevitable and to be expected.
Legislation & Case Law Update
Draft Data Protection (Charges and Information) Regulations 2018 and guide published
On February 2018, a draft of the Data Protection (Charges and Information) Regulations 2018 was published, along with guidance from the Information Commissioner's Office (ICO) on their requirements. The final version of these regulations will implement parts of the EU's General Data Protection Regulation, which as you are no doubt aware comes into force on 25 May 2018.
The regulations set out fees that data controllers (the organisations who ultimately decide the purposes for which personal data is processed) must pay to the ICO for data protection, unless exempt. These fees will fund the ICO's operations and will replace the requirement to 'notify'/register under the current Data Protection Act 1998. Data controllers must provide specific information to the ICO to ensure that the correct charge is paid, such as the organisation type, turnover and number of employees.
Fees range from £40 to £2,900, and are set by Parliament to reflect the risks poses by the processing of personal data. There are specific exemptions for certain organisation, such as charities, and the ICO will be entitled to issue penalties to those who fail to pay the correct fee.
The ICO has released detailed guidance on the application of the regulations, including helpful assistance on how to work out whether the regulations apply and how to calculate your fee. Readers wishing to learn more can do so here:
BEREC announces consultation on Net Neutrality Regulation
On 15 March, the Body of European Regulators for Electronic Communications (BEREC) announced a public consultation on its Net Neutrality Guidelines (Guidelines) in the context of the Net Neutrality Regulation (Regulation). BEREC is a European body which brings together national regulatory authorities for electronic communications. The consultation seeks to gather information on the experiences of interested parties with the Regulation and Guidelines, which implement the EU's net neutrality regime.
Net neutrality is the principle that Internet Service Providers (ISPs), companies such as BT and Verizon who provide access to the internet for customers, should give equal treatment to all data transmitted over their network. Without net neutrality regulations, it is possible for ISPs to intentionally slow down or block users or websites and charge more money to access certain content. In December 2017, the US Federal Communications Commission controversially voted to partly repeal net neutrality regulations, despite widespread criticism.
BEREC is specifically asking for feedback on how stakeholders have experienced the Regulation and Guidelines since 30 April 2016. The European Commission plans on evaluating the Regulation in early 2019, and BEREC will use the information gathered from this consultation to prepare an opinion for the Commission. The consultation focusses on several key areas of the current regime, from stakeholders' general experiences to specific questions concerning areas such as traffic management and zero-rating.
The consultation will close on the 25 April 2018. Readers wishing to access the consultation, and learn more about net neutrality regulations, can do so here: