Facebook and Cambridge Analytica under fire for unauthorised data collection

Market leading social media platform, Facebook, is under fire due to the unauthorised collection of personal information from their users.

In 2014, Cambridge University psychologist and owner of Global Science Research (GSR), Aleksandr Kogan, created an application in the form of a personality test for Facebook users. Participants were told the test was for academic purposes. Upon accessing the test, initial users consented to their online data being harvested. However, unbeknown to test users, the application also automatically downloaded the data of each initial user’s Facebook friends. Consequently, whilst the application only attracted 270,000 participants, GSR was able to download data pertaining to over 80 million Facebook users.

The information harvested included details on Facebook users’ identities, friend networks and “likes”. The purpose was to map personality traits based on what people had liked on Facebook and use that information to target audiences with digital ads.

GSR sold this data to Cambridge Analytica, a political data analysis firm hired by President Donald Trump’s 2016 election campaign. It is alleged Cambridge Analytica used this information to identify the personalities of American voters and influence their behaviour in order to help Trump win votes.

How did this happen?

GSR was able to access this information due to Facebook’s approach to data collection. In a move to encourage developers to build applications for the website, the previous privacy policy granted developers access to users’ friends data.

This permission was sanctioned by an initial user having to agree to a permissions screen whenever they downloaded an application. This screen stated that the application would receive certain information which included friend’s lists and friend’s birthdays, photos, and likes. Initial users were able to block such data sharing by changing their settings. Facebook stopped allowing developers to access the data of users’ friends around mid-2014.

Sandy Parakilas, the former platform operations manager at Facebook, responsible for policing data breaches by third-party software developers, has come forward and expressed his concern over Facebook’s privacy standards and the company’s regulation of data collection. He claims the company actively adopts a head in the sand approach and has zero control over the data given to outside developers.

Facebook’s response

Facebook has since issued a statement saying it became aware of the research data being turned over to Cambridge Analytica in 2015 and immediately removed the application from the website. It also demanded and received certification that all the data had been destroyed.

However, claims have emerged that not all the data has been deleted. Facebook has since hired a digital forensic firm to determine the accuracy of these claims.

Privacy Breaches under the Privacy Act 1988 (Cth)

Facebook and GSR’s collection of the data may constitute a breach of the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

The Privacy Act states that an individual must consent to the collection and use of their personal information. Consent means “express consent or implied consent”.

Whilst the initial user who accessed the application provided express consent for their information to be collected, it is unlikely Facebook will be able to establish that friends of the initial users gave either ‘implied’ or ‘express’ consent.

Former Australian Information and Privacy Commissioner, Timothy Pilgrim, released a statement that the Office of the Australian Information Commissioner (OAIC) is investigating the breach. Mr Pilgrim has asked Facebook if the data of any Australians was acquired and used without authorisation to build personality profiles.

Mr Pilgrim also warns that the OAIC is considering taking action against Facebook, with penalties ranging from regulatory action to court-imposed penalties.

Additionally, Senators from both sides of the political aisle in the US have called for an investigation into Facebook following the revelations. The president of the European Parliament made a similar call.

What this means for you

This issue with Facebook comes at a time where there is much regulatory change both in Australia and globally in regards to privacy and data handling laws.

Australia’s enactment of the Mandatory Data Breach laws and the EU’s introduction of the General Data Protection Regulation are a reflection of a growing concern amongst consumers regarding the handling of their personal information. It is important for small businesses and large enterprises alike to ensure their compliance with the growing regulatory framework in this area.

If you would like any advice regarding your company’s compliance with the new privacy laws please contact Alex Ninis or our IT&T team.

This article was written by Marcus Hannah, Associate – Commercial and Serpil Bilgic, Graduate Lawyer – Commercial.