It all started with a seemingly innocent personality test on Facebook. More comprehensive than the usual 'what is your luckiest day?' or 'what colour is your dog's aura?' tests, this one was created by the University of Cambridge and seemed legit. However, the motives of the organisation conducting the test were not so innocent.
That organisation is Cambridge Analytica, a data analysis business engaged by the Trump Presidential and Brexit campaigns to create targeted ads online. When the punters completed the personality test they agreed that Cambridge Analytica could collect their results and use that data. They also allowed access to their Facebook profiles, including likes and friends.
With access to the profiles of the original 270,000 users who took the test, Cambridge Analytica went on a data scraping spree and collected info from a further 50 million friends of the original users. It then analysed that data to predict things including individuals' location, race, gender, age, sexual orientation, political leanings, intelligence, drug use and receptiveness to positive or negative messages. Ads were then targeted to individuals based on their profiles.
Moving beyond the likelihood that absent the work of Cambridge Analytica Trump would not be POT US right now, let's look at which privacy laws were actually breached. We think most of them, but here are the two biggies:
- Serious breach 1: The original 270,000 punters had only agreed that their data could be used for academic purposes, not for targeting political campaign ads. Privacy laws everywhere say you can only use data for the purposes for which you get consent at the time of collection.
- Whopping breach 2: Cambridge Analytica had no consent (at all) to collect the personal information of the additional 50 million Facebook users. Those users didn't even know their data was collected.
Bonus question: Did Facebook also break the law? In Australia, possibly. Facebook routinely shares user data with third parties (which it willingly did with Cambridge Analytica), but its terms of service state the purposes for which the data can be used. Political campaigns are a no-no: therefore, Cambridge Analytica breached its agreement with Facebook. Facebook is claiming this is just a breach of contract by Cambridge Analytica, and not Facebook's (legal) problem. But, do Facebook's responsibilities go beyond just getting third parties to agree they won't do unapproved things with your data? We'd say yes, but we'll know for sure soon as the Australian Privacy Commissioner is investigating.
Privacy has been a hot topic for the last few years, but we haven't seen any serious penalties imposed by regulators following a breach. However, with new EU privacy laws about to come into effect which have worldwide application and fines up to 20 million Euro or 4% of turnover (that means in the billions for Facebook), we're grabbing the popcorn.