In a week that has seen more “intents” than a field in Glastonbury, the latest and greatest fine to-date was just announced as the US Federal Trade Commission approved a $5bn fine to Facebook as a result of the 2018 Cambridge Analytica scandal (source: https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html)
The Facebook–Cambridge Analytica data scandal was a major political scandal in early 2018 when it was revealed that Cambridge Analytica had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes. The method used was via an application under the guise of a “personality quiz” called “thisisyourdigitallife”, and data was collected not only from users who took part in the quiz, but also from friends of those users – all without the consent of either the user nor of course their friends. It is alleged that around 87milion users were affected by the scandal.
The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users. The agency was concerned that Facebook had violated the terms of a 2011 agreement, where Facebook agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public (source: https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep). The settlement required Facebook to give users very clear notifications when their data was being shared with third parties.
The settlement will now be reviewed by the Department of Justice (reports say), but the message being sent out by both the US and UK regulators (the latter intending to issue a £183.3m and £99m fine to British Airways and Marriott International Inc respectively) is that infringement of data subjects privacy (or by being in breach of data protection laws), will be treated with the utmost severity in terms of punishment for ignorance and systematic abuse of peoples’ personal information or by neglecting information security principles around Confidentiality, Integrity & Availability of personal data.
Of course, in addition to this, the UK Information Commissioner’s Office is also looking into the digital advertising industry – in particular behavioural advertising, retargeting and Real-Time-Bidding Auctions (of which big tech firms have a significant commercial interest in) so it is highly likely that this will not be the last time we see familiar faces and household names in the news for being in breach of Data Protection Regulations & Privacy laws for not obtaining users’ consent.
There will also likely be cases brought to the attention of regulators where companies fail to implement the appropriate technical and organisational measures, such as having an appropriate information security policy or not deploying the required training for their staff.
Martin de Bruin, CEO of Deslyon says:
“This week we’re starting to see the consequences of failure to comply with Data Protection laws and Privacy regulations. Companies feel that they can take a laissez-faire approach when it comes to their obligations whilst we have constantly disagreed with their consensus. Now it is clear to see that doing nothing or skipping over data protection/privacy obligations is no longer an option.”
News outlets report that Facebook declined to comment, however, if you are looking for guidance and advice on how to comply with Data Protection regulations and privacy laws for your organisation, contact firstname.lastname@example.org.
Image source: https://www.flickr.com/photos/stockcatalog/26406050097/in/album-72157695350251185/