The dramatic revelations that Facebook users’ personal data was potentially misused by political advertising firm, Cambridge Analytica, has troubling implications for consumer privacy that will become ever-more complicated when the GDPR rules come into effect on May 25, 2018. Here are my initial takeaways:

  1. The markets care about privacy and data protection – as of Monday evening, Facebook lost almost $35 billion in market value.
  2. Even under the current regulatory framework (pre-GDPR) this is likely a serious breach of EU privacy law. The UK’s Information Commissioner is currently pursuing a warrant to access Cambridge Analytica’s servers to understand how the data was processed or deleted. Facebook executives have been summoned to provide an in-person explanation before the UK government, with similar demands by the U.S. Congress likely to follow.
  3. Facebook and Cambridge Analytica’s actions would likely breach several provisions of the GDPR, including requirements to:
    • Process personal data fairly and in a transparent manner
    • Not process beyond the specified, explicit, and legitimate purpose for which the personal data was collected
    • Demonstrate that consent to the processing was given (where consent is used as the basis for processing)
    • Notify individuals whose data was not collected directly (i.e. Facebook friends whose data was scraped by Cambridge Analytica) of, amongst other things, the identity and contact details of Cambridge Analytica and the purposes of the processing.
  4. The definition of personal data in the EU is significantly broader than in the US, and would include the type of data obtained by Cambridge Analytica (including personality traits, ‘likes,’ and user identities). Arguments that the data accessed by Cambridge Analytica is not personal data under US law will not likely be upheld pursuant to the EU’s definition of personal data.
  5. Had this processing of personal data been discovered after May 25, Facebook and Cambridge Analytica would likely face significant enforcement actions and fines under GDPR. Maximum fines under GDPR are the greater of Euro 20MM, or 4% of annual global revenue.

Both the US and EU will be conducting investigations as both jurisdictions try to uncover the facts surrounding this serious privacy issue. We will post updates as developments occur.