This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy



Digital Business Lawyer

User data controversy instigates Facebook changes as ICO investigates

The UK Information Commissioner, Elizabeth Denham, announced on 24 March 2018 that the Information Commissioner’s Office (‘ICO’) has executed an investigation of the London offices of the data analytics company Cambridge Analytica (‘CA’), having obtained a search warrant to access records and data held by CA; Denham has explained that the ICO is investigating the circumstances in which Facebook users’ data may have been illegally acquired and used, as a part of its ongoing investigation into the use of personal data and analytics for “political purposes.” An earlier statement on 19 March confirmed that the ICO is looking into the acquisition and use of Facebook data by Cambridge University researcher Dr Aleksandr Kogan, CA and CA’s parent company SCL Group, the individual and organisations at the centre of allegations made by ex-CA whistleblower Christopher Wylie to a series of media outlets including The Guardian newspaper in March 2018. (article written on 26/03/2018)

In 2013, Dr Kogan created a personality quiz app on the Facebook platform, which was, according to Facebook, downloaded by around 300,000 individuals who shared their data and in some cases their friends’ data, depending on their Facebook friends’ privacy settings; according to a 21 March blog post by Facebook CEO Mark Zuckerberg, this meant that “tens of millions of their friends’ data” was accessed by Dr Kogan as a result of how Facebook worked at the time. Zuckerberg goes on to explain that after learning in 2015 that Dr Kogan had allegedly shared this data with CA without user consent, the app was immediately banned as a result of Dr Kogan’s apparent contravention of Facebook’s policy. At this point Facebook understood that all data had been deleted by Dr Kogan and CA; while CA maintains that it carried out the deletion of data, The Guardian, The New York Times and Channel 4 have alleged to Facebook that the data may not have been deleted as certified. It has been further alleged that the data obtained by CA was used in targeting voters as part of the work CA carried out for Donald Trump’s 2016 US Presidential election campaign, which CA denies. Following the allegations Facebook banned CA and Dr Kogan from using its service.

The allegations have sparked action from regulators globally; among them, the US Federal Trade Commission (‘FTC’) issued on 26 March a statement confirming it had opened an investigation into reported concerns around Facebook’s privacy practices. Facebook in 2011 reached a settlement with the FTC in regards to transparency for users as to how their data is shared with third parties; a finding that Facebook has violated this order would result in a fine.

Zuckerberg described the situation in his blog post as a “breach of trust between Facebook and the people who share their data with us and expect us to protect it,” and subsequently set out a number of actions that Facebook has taken or is taking to avoid similar situations in the future. Zuckerberg highlighted that in 2014 the way in which the platform worked was changed to substantially limit the data apps could access, but also announced further changes. In brief these changes are that Facebook will investigate - and audit in full if necessary - any apps which had access to large amounts of information before the 2014 platform changes; that Facebook will further restrict developers’ access to data going forward; and that Facebook will create a tool to allow its users to monitor and revoke app permissions via their News Feed.

Highlighting Zuckerberg’s promise of a Facebook tool for users to see how their data is being used by apps, Amy Lovell-Odone, Solicitor at Sheridans, questions “will Facebook’s tool show the pathway by which data was harvested - and not just the fact that the rogue app obtained it? Will we see the dataflow - from the first point of connection that enabled the obtaining of our data to the final transfer to the ‘bad actor’? While the incoming GDPR includes a requirement to notify individuals when their personal data has been breached, arguably this requirement could go further. Like informed consent, the public may eventually demand a much more informative breach notification.”

The incident has provoked further calls for increased regulation of Facebook. Asked about the topic during an interview with CNN on 21 March, Zuckerberg replied that “I actually am not sure we shouldn’t be regulated,” noting he would “love to see” ad transparency regulation, for example. Responding to the controversy, UK Secretary of State for Culture, Media and Sport Matt Hancock MP warned of the forthcoming application and possible consequences for platforms like Facebook of changes to data protection law. In an interview with Channel 4 News on 22 March, Hancock highlighted that as a result of the UK’s forthcoming Data Protection Bill the ICO will have stronger enforcement powers, and added that “we’re looking at whether [the ICO’s enforcement powers] need to be strengthened further because of the experience of this particular investigation.”

Meanwhile, commentators note the timely application of the GDPR in May this year. “The GDPR is an attempt to level the playing field in favour of the individual, by granting individuals choice and control over how their personal information is used, and imposing obligations of fairness and transparency upon organisations that use such personal information,” comments James Castro-Edwards, Partner at Wedlake Bell LLP. “It will take effect on 25 May; in the light of this latest development, not a moment too soon.” “The controversy will also embolden data protection regulators in the run up to the GDPR taking effect,” adds Victoria Hordern, Head of Data Privacy at Bates Wells Braithwaite LLP. “Making the case for use of sophisticated enforcement weaponry just got easier for data protection regulators as they seek to hold organisations to account for data use.”

The controversy has also caused hesitation from Facebook advertisers; for instance Mozilla announced on 22 March that it is to suspend advertising on the platform until “Facebook takes stronger action in how it shares customer data, specifically strengthening its default privacy settings for third party apps,” according to a statement on the company website.

Search Publication Archives



Our publication archives contain all of our articles, dating back to 1999.
Can’t find what you are looking for?
Try an Advanced Search

Log in to digital business lawyer
Subscribe to digital business lawyer
Register for a Free Trial to digital business lawyer
E-Law Alerts
digital business lawyer Pricing

Social Media

Follow digital business lawyer on Twitterdigital business lawyer on LinkedIndigital business lawyer RSS Feed