Hack or Harvest: Who Is Responsible?

In a high-profile statement published across newspapers in the UK and US – an apology of sorts – Mark Zuckerberg of Facebook describes the leak of reportedly 50 million individuals' data via quiz app "This is Your Digital Life" in 2014 as a "breach of trust." The belated statement was released in an attempt to stem the tide of regulators', politicians and data subjects' opprobrium as it became clear that the political consultancy firm accused of using the leaked data, Cambridge Analytica, may have used the data to seek to influence voters to support US President Donald Trump’s 2016 campaign.

The seemingly innocuous quiz app available via Facebook – purportedly giving users an insight into their personality type – was developed by a Cambridge University researcher operating through his own company, GSR. Although about 270,000 users’ data was collected, a whistleblower and former member of Cambridge Analytica staff say the data of about 50 million people was harvested by GSR for Cambridge Analytica before Facebook eventually tightened its rules on obtaining user consent.

Whilst Facebook’s approach of confession and avoidance is along the lines of “it could not happen now, as we have tightened our rules on data collection”, the impression remains that regulation is not keeping pace with either the exponential increase in amount of data potentially available to those with the skills to mine it, or the development of innovative ways to slice and dice that data.

At times like this, everyone is quick to point the finger of blame at others. Facebook blames Cambridge Analytica for the excessive data collection. Cambridge Analytica blames GSR. The Guardian reports that Cambridge Analytica’s contract with GSR requires the researcher to seek informed consent for all data collection. The researcher says he is being scapegoated because he received assurances that what he was doing was legal.

We can debate at which level(s) the breach of trust occurred, but clearly, it renders privacy legislation useless if gatekeepers of data such as Cambridge Analytica or Facebook could escape responsibility by relying on data overreach by subcontractors. Indeed, breach (or inadvertence or carelessness) by subcontractors can cause significant reputational damage (and sometimes regulatory sanction).

It is standard practice, given the real regulatory risks involved, for companies setting up a project which will entail the acquisition or use of large quantities of personal data to distance themselves from the regulatory risks by avoiding taking delivery of personal data themselves (and having the data collected and used by subcontractors) whilst at the same time requesting the contractor they are dealing with to warrant that all the personal data they use is collected in accordance with all applicable data protection laws. Each tier of the contractual puzzle contains a version of this. The end result is that data collectors or aggregators who are at the bottom of the contractual chain may be incentivized to give a level of warranty as to data protection compliance that they cannot legally support. This is what appears to have happened at the level of GSR, the private company of the researcher in the Cambridge Analytica case.

However, even if the parties to contractual chains of warranties of this nature may limit or exclude their contractual liability in this way, it has become increasingly difficult to avoid the regulatory sanctions for using personal data in breach of or in excess of the consents given by the data subject at the point of disclosure. Under the existing UK law, if Facebook is fined for breaches of the Data Protection Act 1998, the maximum fine would be GBP 500,000, a sum which, although painful, it could easily afford. After May 2018, however, the EU-wide GDPR will be in force. The extended jurisdiction of the GDPR means that all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location, will need to be GDPR compliant. This will include Facebook. On top of increased insistence that data subjects give ‘prescribed consent’ (i.e., fully informed and unequivocal consent) to data use, GDPR also requires that data controllers must notify Supervisory Authorities of a personal data breach within 72 hours of learning of the breach, giving specific details.  It is notable that Facebook became aware of this breach by Cambridge Analytica years ago. GDPR imposes massive penalties, which can be up to the higher of 4% of the violating company’s global annual revenue and EUR 20 million.

GDPR is not retroactive, so on this occasion, Facebook will dodge these harsh sanctions. However, as presaged by the likes of Elon Musk withdrawing from Facebook and the #DeleteFacebook campaign, EU rules on the “right to be forgotten” and the right to require erasure of one’s personal data, will likely lead to a very significant spike in Facebook’s data compliance costs. And that is before the US authorities take their own action.

This article is contributed by Peter Bullock from King & Wood Mallesons. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends