Personal information from the Facebook profiles of approximately 50 million US voters is alleged to have been misused by Cambridge Analytica. The information included names, locations, emails and details of ‘likes’.
The information was collected through a Facebook personality app used by approximately 270,000 individuals. Their data and their Facebook friends data were then used to target them with personalised political advertisements during the 2016 US presidential election. Some press reports allege that similar advertisements were used in elections in other countries.
Facebook’s policy at that time only allowed friends’ data to be used for improving Facebook user experience. The policy was that information will not to be sold or used for advertising.
Facebook is alleged to have known that individuals’ data were being used in this way during 2015, but did not tell users about how the information was being used and took only limited steps to remedy the situation. Facebook has claimed that Cambridge Analytica improperly received and used the data against its terms of service.
What individuals consent to when placing their own data online is often not clear. The General Data Protection Regulation (GDPR) will impose more stringent requirements for businesses to tell individuals how their data will be used and to ensure that they have individuals’ consent to use their data.
Individuals will have stronger rights under GDPR to know what has happened to their data. Businesses will face substantial practical challenges as individuals react to allegations that their data may have been misused.
Businesses will need to develop and maintain tailored plans for their use of personal data, so as to prevent misuse and to be able to respond to issues.
All businesses should be ready for closer scrutiny of their data protection arrangements by the UK Information Commissioner’s Office and the public.