An AI/robot, with pick axe, mining data
PHOTO: Shutterstock

If anyone had any doubts that Facebook was smarting after revelations that Cambridge Analytica, the UK based consulting firm that uses data mining, data brokerage, and data analysis in elections, was harvesting data from the social network, they should put those doubts aside. This week, Facebook is limiting advertisers' ability to target users in just the first change of what is likely to be a long campaign to regain users’ trust on behalf of Facebook.

However, the problems created by the actions of Cambridge Analytica, don’t stop with Facebook. As the twitter pressure from #deletefacebook campaign grows and users start questioning their use of Facebook, on the far side of the Atlantic, European Union (EU) regulators have been quick to condemn what they see as a massive infringement of privacy.

The GDPR regulation is due to come into effect on May 25th forcing all companies operating in the EU to comply with strict privacy rules. As the law has already been passed, it is unlikely that the recent Facebook scandal will lead to any legal changes to the law, but it certainly has seemed to increase public knowledge of the issue which in turn will result in increased support by EU citizens.

Related Article: How Will the GDPR Impact Third-Party Lead Generation?

Heightened Expectations

Mathilde Foucher is a legal specialist at Linkilaw, a virtual lawyer community. She points out that if a similar data breach had happened with GDPR already in place, Facebook would have been liable for fines of over $1.6 billion as well as other sanctions. “Implied consent or pre-ticked boxes would not have been acceptable. Users should have been informed that their information could have been shared with the third party and they should have been able to exercise their right to be forgotten,” she said.

She added that GDPR would have made users more aware of the situation and as a result GDPR would gain in credibility. The follow on from that is that consumers expectations of the organizations they share their data with will be higher.

Educating Data Consumers

The data usage scandal couldn’t have come at a worse time for US companies operating in Europe. If there were already suspicions in consumers’ minds about how their personal data was being used, the Cambridge Analytica scandal has only confirmed them. Jeff Nicholson, vice president of CRM product marketing, at Cambridge, Mass.-based Pegasystems said that the new regulation is going to leave many businesses scrambling as consumers start to understand what they can do to protect privacy.

The GDPR is poised to allow consumers to challenge businesses for visibility into this very aspect, leaving many businesses scrambling. Right now, Nicholson says, very few EU consumers realize that GDPR will give them the power to request, restrict, and delete that information on demand. He also points out that EU consumers don't know or understand where their data is being shared. “Indeed, once EU citizens understand the power of GDPR, it won’t be long till they set their sights on other types of businesses as well. The floodgates will open, but the risk is that most companies aren’t prepared to handle it,” he said. 

Related Article: 5 Experts Share Advice on Preparing for GDPR

Undertanding What Informed Consent Is

One of the principal impacts from the Cambridge Analytica incident is the renewed focus and interest in ‘informed consent’ and what it means in online environments. While that may not seem controversial, it goes to the very heart of the problem organizations face once the GDPR regulation is in place. Under the GDPR, consent for personal data collection must be clearly affirmative, unambiguous, and freely given, meaning that implicit opt-ins using pre-checked boxes or implied consent notices (like the classic ‘you agree to our privacy policy by using this site’ notice) are no longer going to cut it. 

According to Jeremy Tillman, director of product at Ghostery, a New York City-based developer of a privacy and security-related applications, the GDPR also considers any online identifier, even pseudonymous identifiers, as personal data. This means that any use of cookies or trackers needs to comply with the new law. Because the use of these technologies is ubiquitous across the web, websites will need to implement a different kind of consent mechanism that meets the letter of the GDPR. “An interesting twist to these more stringent consent rules is the requirement to honor user-selected browsers settings that would qualify as an affirmative choice to grant or withdraw consent. This includes the setting that most browsers have to automatically send a ‘Do Not Track’ request to each website a user visits, which would effectively withdraw that individuals consent from websites to collect personal data,” he said.

Beyond this requirement, companies must also make all personal data portable as well as respect the right to erasure. The former simply means that companies need to store personal data in such a way that a user can transfer it to a platform of their choosing while the latter is an evolution of the right to be forgotten, a directive that requires companies to delete the personal data of anyone that requests it. “Both of these requirements imply that some companies will have to make major changes in their data storage infrastructure. Beyond the technical costs, the GDPR also stipulates that companies staff specific personnel, including a Data Protection Officer, a role that will be new for most of companies,” he said.

Changes for Third Party Data Harvesting and Other Grey Areas

If informed consent and other aspects of the regulation will be new to many companies inside and outside the EU, it seems unlikely that the law, or associated penalties, will change this year, although changes cannot be ruled out in the future. Like any legal instrument, there are areas that are open to interpretation.

Take third party data harvesting. Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company said it could easily be argued that the harvesting of data by a third party in a legitimate, allowed manner would not be a violation of GDPR. While it's possible that some future amendments to GDPR may try to address this issue, it would cross into some difficult legal grey areas about authorized and allowed use, as opposed to the unauthorized entry of a network and unauthorized theft and use of data. “In many ways, I believe this scandal will serve to wake up several organizations who make it their business to collect and share user data for profit,” he said. 

“While technically allowed under their Terms of Service and End User Agreements that we all tend to click "yes, we accept" on without reading, the potential loss of reputation and dealing with an angry customer base may cause many of these companies to revise their terms and begin to limit the ways in which their partners can use the data," said Wenzler.

Future Impact?

Whatever happens the fallout from the Cambridge Analytica scandal organizations that hope to do business in Europe will be looking to future proof themselves. Wire CEO, Morten Brøgger points out that it was only a matter of time before an incident of this magnitude occurred and Facebook and Cambridge Analytica will be used as a poster child of what not to do moving forward. “In the next three months before the GDPR is in place, we hope this incident will demonstrate the need for regulation to be updated and improved immediately. Had the GDPR been in place, this incident would have played out differently,” he said.

Egil Bergenlind is a data protection lawyer that went on to work as iZettle’s data protection officer. He now has his own company, Stockholm, Sweden-based DPOrganizer, having created an easy-to-use data protection management software solution. He points out that the GDPR would have happened regardless of the Cambridge Analytica scandal.

He said the GDPR will most definitely help to prevent these kinds of incidents in the future as it gives individuals increased rights and better tools to exercise their rights. Whether the accusations around Facebook are proven or not, much of the trust has sadly already been lost. “Essentially, it all boils down to a lack of transparency from organizations about what data is being held on its users, how it is being obtained, what it is being used for and with whom it is being shared,” he said. “Unfortunately, this then leads to a lack of accountability and often results in the incorrect assumption that any data collected belongs to the company, rather than its individual users, and as such is traded with third party organizations, like Cambridge Analytica, as a form of currency.”

Organizations need to begin to think carefully about how they manage their relationships with users and begin rebuilding their trust through transparency. Transparency is at the core of data protection and customer trust.