A brief explanation by a data lawyer
An undercover investigation by Channel 4 News has accused British data analytics firm Cambridge Analytica of secretly campaigning in elections across the world.
In a documentary aired on Channel 4 on Monday night, high-profile figures from Cambridge Analytica were filmed discussing the use of bribes, ex-spies, fake IDs and sex workers to influence elections.
The company reportedly harvested data from millions of Facebook users to deliver micro-targeted ads.
It’s saucy stuff, and #DeleteFacebook has been trending on Twitter since.
We spoke to Jonathan Compton, Partner at city law firm DMH Stallard, who is one of the UK’s leading experts in data protection. He has lots of letters after his name, like LLB and MCIArb, and has represented UK and international clients in courts in England and Wales including the Commercial Court of the High Court and the Court of Appeal.
Who are Cambridge Analytica?
Cambridge Analytica are a private company, registered in the UK.
What do they do?
They are a data analysis consultancy. They have links to Steve Bannon and are alleged to have assisted in the election of US President Trump by data analysis of voters in swing states to target their candidate’s advertisement on an individual’s primary concerns, driver, fears, hopes, however you want to put it.
Why are they in the news?
They are alleged to have harvested data from 50 million Facebook users in order to provide better services to their clients (which are alleged to have included the Trump election team.)
How did they scrape FB data?
Cambridge Analytica assert that they acted lawfully at all times and with the consent of the Facebook users to gather their personal data. The allegation is that whatever consent was given by those Facebook users, it did not include or was not specific enough to include data harvesting for election purposes. Facebook maintain they acted lawfully. Facebook acknowledge that they knew of the harvesting of the 50 million users since 2015 but acted lawfully in not notifying those users.
Is it a data Wild West out there?
Frankly, yes. The recent revelations about UK company Cambridge Analytica Limited call into question the data protection regime in this country and, more broadly, in the USA.
Chris Wylie, the whistle blower at the heart of the story, revealed this week how Cambridge Analytica Limited used personal information taken, allegedly from Facebook, without authorisation in early 2014 to create algorithms to predict and to influence voting patterns in the US elections.
Chris Wylie told the UK Observer newspaper “We exploited Facebook to harvest millions of people’s profiles and built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on”. This is the allegation being made.
Facebook confirmed in a statement that by the end of 2015, it knew that information had been ‘harvested’ on a hitherto unknown scale. It is alleged that Facebook failed to notify users of this. The scale of the ‘harvesting’ amounted to 50,000,000 users. Under the UK Data Protection Act 1998 there is no duty on Facebook to tell its users (even those users effected) that their data has been ‘harvested’. I make it clear that, in full compliance with UK data protection laws, Facebook had no legal obligation either to notify the UK Information Commissioner, nor its users.
Interestingly, it is understood that Facebook’s UK legal advisers have written to the Observer stating that the Observer has made “false and defamatory” comment and has reserved Facebook’s legal position.
In short, under the DPA in its current form there are protections afforded to individuals and their personal data. The issue is enforcement. If there is no current obligation to report breaches, then wrong-doing can go unnoticed. Further, even under the new GDPR, if the UKIC has to apply for a warrant, the opportunity in the delay is given to those in breach of data protection rules to cover their tracks. Finally, if potential ‘wrong-doers’ (for want of a better word) can use the law of Libel to silence whistle-blowers, then ‘Houston, we have a problem’.
The law on data protection is about to change with the coming into force of the GDPR under the auspices of the Data Protection Bill. This Bill is scheduled to come into force on 25.05.18. Those who process and control data need to be aware of their new obligations. But even this new Bill has shortcomings with the lack of a true ‘dawn raid’ powers.
