Cambridge Analytica case: last wakeup call before GDPR

The exploitation of 50 million Facebook profiles, by Cambridge Analytica, shows the need to strengthen the protection of personal data. In this sense, the upcoming application of the General Data Protection Regulation (GDPR) is welcome.

Facebook got into hot water following the revelations of whistleblower Christopher Wylie. This former employee helped to found the British company Cambridge Analytica, at the heart of the scandal, where he now denounces the practices. This Big Data company is accused of illegally grabbing the personal data of 50 million Facebook users for electoral profiling purposes.

This leak was made through a personality test application. There are thousands of such apps on Facebook and to use the application, users had to allow certain access. The developers behind the leak knew full well that this control would not be a restraint, as most users accept such access without understanding the risks involved.

It is also behind this authorisation mechanism that the line of defense lies for Facebook. For the Menlo Park group, the information was collected in a "legitimate" manner and using "the appropriate channels that governed all Facebook developers at that time". Facebook has since disabled a feature that offered developers the ability to collect contact data from an account without their consent.

The upcoming application of a European regulation

Using Big Data for an election campaign is not new or illegal. Barack Obama's campaign team had also distinguished itself in this area. On the other hand, the problem raised by the current scandal lies in obtaining personal data without the consent of the people concerned.

In May, the European GDPR will require companies and other organisations to obtain and document the consent of each user that their personal data is being collected.

The request for consent must be clearly formulated and not hidden in the middle of general conditions of use, which everyone knows is almost never consulted. It will also specify for what purposes the data will be collected and for how long it will be kept. The transfer of such data to third parties must also need to be explicitly requested and approved.

With the GDPR in effect, Facebook would have been fined €1.6 billion

Will Facebook be subject to sanctions, even financial penalties, within the framework of existing regulations? CEO Mark Zuckerberg was summoned to a British parliamentary committee.

As the GDPR is not yet in effect, it is interesting to note what the impact would have been if this scandal had taken place after May 25, 2018. The new regulation brings a fine of up to 4% of global revenues. In the case of Facebook, whose global revenues in 2017 amounted to $40 billion, this fine would have been 1.6 billion!

What is just as interesting is the impact on public image. Since the beginning of this case, the stock market has lost 11% over two days, or nearly 60 billion dollars in market capitalisation. It is unlikely that Facebook users will leave this network as a result of this scandal, but on the other hand, this case raises awareness of the need for caution with the use of personal data.

This article was first seen on 21 March 2018 in Les Echos and was written by David Luponis, Head of Cyber Security at Mazars in France, and Jean-Michel Besnard, cyber security expert at Mazars in France.

Want to know more?