Published on April 19, 2018
What exactly happened behind the doors of Cambridge Analytica is still being investigated, but the basic story is this: It all started in 2010 when Facebook launched the Open Graph platform that allowed third-party apps to access users’ data (with permission), as well as their friends’ data (without permission). In 2014 Facebook changed its rules to prevent third-party apps from accessing friends’ data without permission. However, data obtained by an app before this change was still being stored and, as it turned out, was sold to Cambridge Analytica, which used the data to target presidential campaign ads to Facebook users. Last month, the Guardian and the New York Times published exposés revealing just how far this data mishandling went. The level of the personal data abuse was impossible to ignore, and US legislators called Zuckerberg to testify before Congress.
Last week’s hearings resulted in an apologetic Zuckerberg admitting that “we didn't take a broad enough view of our responsibility” and committing to “getting this right. This includes the basic responsibility of protecting people's information.”
He expanded his promise to include extending GDPR benefits to all Facebook users, not just those residing in the European Union. As we discussed in a recent post, the EU’s General Data Protection Regulation (GDPR) lays out in clear terms rules for what personal data is and how it can be used. The GDPR, which goes into effect next month, puts into place rules that go significantly further than what is required by other laws. How these rules will affect an entity of Facebook’s size and reach illustrates the shift that is taking place globally to acknowledge the vulnerability of our personal data and to take steps to protect it.
In simplest terms, the GDPR can be broken down into three key concepts: consent and control; transparency; and the granting of individual rights. Let’s take a brief look at how each of these concepts could affect Facebook:
Under the GDPR an individual is required to give direct consent to any entity wishing to use their data for any reason. The consent cannot be bundled and the individual must be able to withdraw the consent just as easily as it was given. The entity requesting the data must inform the individual of how their data will be used and only gather as much data as needed for the stated purpose. Although Zuckerberg claims that a clear statement of how data is used has always been present in Facebook’s user agreement, he also admits that the agreement could use an extensive rewrite making it easier for users to understand. The requirement of consent and control will also make it possible for users to limit third-party access to their data.
The GDPR requires that in the case of a security breach, those affected must be notified immediately and provided full disclosure, including an explanation of what happened and what’s being done to remedy the situation. Zuckerberg acknowledges that Facebook failed to do this in response to the Cambridge Analytica mishandling and is now in the process of informing users who were affected.
Under the GDPR, individuals are given comprehensive rights to access, correct, port, erase, and object to the processing and storage of their data. One of the most talked about concerns regarding Facebook is that even after deleting an account, personal data can remain in Facebook’s databases for up to 90 days. It has also never been clear if the platform actually deletes the data from its databases or simply ensures it isn’t viewable by the public. Under the GDPR, Facebook would be held accountable to its promise that data is entirely removed from its servers at the request of the user.
If there’s a silver lining to the Cambridge Analytica scandal and resulting hearings, it’s that they have put a spotlight on the importance of laws such as the GDPR that support the protection of personal data. The Facebook hearings have prompted the global online community to take a closer look at what it means to share our personal data, how it can be used, and why it is so important that we have control over its use. As concerning as these revelations about Facebook are, we are encouraged by the resulting attention that has been placed on what we’ve always considered to be a primary human right - protection of privacy.
At Hushmail, everything we do is with one overarching intention - protecting your data. News stories about cyber theft and data privacy abuse help us all become better educated about what it means to put our private information online and the importance of security. It’s our hope that what we’re learning about Facebook strengthens our resolve as an online community to shore up defenses against personal data mishandling and abuse. What might have seemed relatively benign at first, a simple connecting and sharing with friends, has shown us just how powerful and potentially damaging large stores of data can be when improperly handled.