In November last year, the British Information Commissioner’s Office (ICO) fined Facebook $650,000 — the maximum fine possible — in response to the Cambridge Analytica scandal. In a statement issued at the time of the ruling the ICO said the social media network broke two of the UK's legally binding data protection principles by allowing Cambridge academic Aleksandr Kogan to harvest Facebook users' personal data through an app disguised as an innocent online quiz.
Facebook, Data and App Developers
The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.
At the same time the Cambridge Analytica scandal investigation was being carried out, the British parliament had also undertaken a wider investigation into the issue of privacy in the digital world.
Clearly other European governments were doing the same. Over the last two months, the French data regulator (CNIL) hit Google with a $57 million fine for breaching the GDPR regulation, while Germany ruled at the beginning of February that Facebook is abusing its virtual monopoly in social media by combining data from Instagram, WhatsApp and third-party websites. In the future, the regulator explained, Facebook will have to seek German users' explicit consent to collect and combine such data.
Is Facebook a Digital Gangster?
If all this wasn’t bad enough, British parliament just issued the final report regarding its Facebook investigation, and it’s not pretty. Describing Facebook as a “digital gangster,” it concludes that Facebook must be regulated.
The ICO statement into GSR, the company that harvested Facebook users’ data and passed it on to Cambridge Analytica, is telling and explains why European regulators are getting so excited. The statement reads: "Facebook... failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr. Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.”
The parliamentary report for its part summed up the principal reasons it is going after tech companies, and Facebook in particular, as follows: "We fined Facebook because it allowed applications and application developers to harvest the personal information of its customers who had not given their informed consent — think of friends, and friends of friends — and then Facebook failed to keep the information safe. […] It is not a case of no harm, no foul. Companies are responsible for proactively protecting personal information and that’s been the case in the UK for thirty years. […] Facebook broke data protection law, and it is disingenuous for Facebook to compare that to email forwarding, because that is not what it is about; it is about the release of users’ profile information without their knowledge and consent."
Related Article: Facebook: A Case Study in Ethics
Concern in the U.S. Too
In this case, the US-based app developer Six4Three, claims that Facebook used Facebook users’ data to persuade app developers to create platforms on its system, by promising access to users’ data, including access to data of users’ friends.
The case also alleges that the developers that became successful were targeted and ordered to pay money to Facebook. If apps became too successful, Facebook is alleged to have removed the access of data to those apps, thereby starving them of the information they needed to succeed, according to Six4Three's original case logged in 2015.
It’s not only Facebook in the crosshairs in Europe though, the ICO is looking into whether Google has violated GDPR as well. It also said that it is working with other regulators around Europe to consider its next possible steps after a number of complaints had been raised. In fact, there have been 59,000 complaints already. But will it have any impact on organizations?
Will Facebook Fail in Europe?
According to Robb Hecht of Baruch College New York City, GDPR is not just a US-Europe problem, but a global problem. Europe led the GDPR movement of data privacy, he said, so you have, on one hand, the extreme privacy protection on the one side with Europe, and China on the other end — and the US sitting in the middle.
Businesses and marketers use Facebook because of the huge amount of users who use the platform, he said, as well as all the formats and data choices it offers to reach and engage them in ways that propel brand awareness, consideration and conversion. While Facebook may carry on in Germany as a means to connect friends and family — it may be deprecated as a tool in Germany for businesses to use.
Europe can continue to press for data privacy, but in the background with 5G rolling out, artificial intelligence (AI) increases in usage and the Internet of Things proliferates, which makes it possible to monitor everything monitorable for data and usage patterns. “Chinese products could become so dramatically superior because they will be made based on usability data gathered in real-time. Meanwhile, German products would suffer and not remain competitive from an innovation perspective. It's like being between a rock and a hard place,” he said.
Businesses of all sizes and scale across Europe use Facebook to reach new customers and grow. As a result, Steve Weiss, founder and CEO of MuteSix, said he doesn’t anticipate seeing any immediate impact on consumers and businesses who use Facebook services as it’s going to take some time for the regulator’s decision to force change. “But we do anticipate Facebook making changes to abide by laws and help their users understand the implications of shifting the power balance towards consumers. And, that’s always a good thing,” he said. “The fact remains — few brands are changing their ad spending, so it’ll be hard to topple the giant.”
Diluting the Power of Tech Giants
In the German ruling, the Federal Cartel Office gave the company 12 months to stop “unrestrictedly collecting and using” data and combining it with users’ Facebook accounts without their consent.
Andreas Mundt, president of the Bundeskartellamt, said in statement about the ruling: “With regard to Facebook’s future data processing policy, we are carrying out what can be seen as an internal divestiture of Facebook’s data. In the future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts.
He added during a press conference afterwards, reported by Bloomberg financial news service, that “People always ask to break up huge internet companies…Well, what we do here today is really something like internally breaking them up.”
This may not be the end of data harvesting for US tech companies working in Europe, but it is the beginning of a major change in the landscape. What the new landscape looks like remains to be seen, but it is a good bet that the power major tech companies wield will be drastically reduced