Facebook’s data protection disaster and the GDPR

It has been a rough few weeks for Facebook.  The world is watching the outcome of the Cambridge Analytica scandal, which raises accusations that millions of US voters had their Facebook data misappropriated by consultants working for Donald Trump’s presidential election campaign.

Sources suggest that Cambridge Analytica, a British political consulting firm, secretly extracted data from the profiles of over 50 million Facebook users. The social media giant stands accused of creating a ‘personality testing’ app – “thisisyourdigitallife” – and using the data gathered from it to influence voters in the 2016 American presidential election. As a result, the way in which Facebook uses personal data has come under scrutiny and data protection is again in the spotlight.

News of this scandal breaks ahead of the General Data Protection Regulation (GDPR), which comes into force across Europe from 25 May 2018. The GDPR will bring considerable changes to the data protection framework in the UK and across the European Economic Area more widely. It will also have an impact internationally, as it applies to businesses outside of the EU where they collect or process the personal data of European citizens. As such, the GDPR will affect Facebook and many other online services and social media businesses overseas.

The GDPR was introduced to strengthen the protection of the personal data of individuals. The new law aims to update data protection law in line with technological developments and strengthen the rights of individuals in respect of their consumer data. The GDPR also aims to introduce a harmonised data protection framework across all EU member states, meaning businesses will have a more consistent set of data protection compliance obligations across Europe.

The concept of “accountability” is at the heart of the GDPR, meaning organisations must be able to demonstrate that they have analysed the GDPR’s requirements in relation to their processing of personal data and implemented a system that allows them to achieve compliance with this.

Some of the key changes under GDPR include:

  • The new law applies to companies outside of the EU where their processing activities relate to offering of goods or services (even if free) or monitoring the behaviour of data subjects in the EU. In practice this means that companies outside the EU targeting EU consumers will need to comply with the GDPR and may need to appoint a representative in the EU.
  • In certain circumstances data controllers and processors must appoint a Data Protection Officer (DPO).
  • The current European data protection law regulates data controllers (those responsible for determining the purposes and means of processing of personal data). Data processors such as agents or suppliers (organisations who are engaged by a controller to process personal data on their behalf) will have new direct compliance obligations under the GDPR, including the obligation to maintain written records of processing activities, designating a DPO when required and notifying the data controller of breaches. Practically this will change the risk profile for businesses, as suppliers will need to comply with GDPR and will face the threat of sanctions for failing to comply.
  • Consent from data subjects for the processing of their personal data will be harder for organisations to obtain and rely on.
  • There will be new requirements in respect of keeping data processing records and documentation.
  • Data subjects will be afforded enhanced rights, such as the “right to be forgotten”.
  • Data controllers must (unless exceptions apply) notify data breaches to their relevant supervisory authority without undue delay and, where feasible, within 72 hours of awareness.
  • Data Protection Impact Assessments will be mandatory in certain circumstances, specifically in situations where data processing is likely to result in high risk to individuals.

The GDPR has adopted a tiered approach to penalties for breaches of the law and significantly increased fines for breaches. In the most serious cases fines can be made of up to the higher of 4% of annual worldwide turnover and EUR20 million. The significant increases in maximum fines mean that businesses are re-evaluating the risks of non-compliance and the need to adopt a more rigorous approach to compliance with data protection law.

Facebook has announced that it will be working on providing stronger privacy protections for users ahead of the GDPR.  It has recently stated it will take active steps to protect customer data, such as re-working privacy settings so that they are easier to locate and removing the functions allegedly used by Cambridge Analytica to harvest users’ data. Mark Zuckerberg has recently stated his support “in-principle” for a GDPR-like opt-in standard for users before they provide their data.

For advice on compliance with the new data protection regime, please get in touch with a member of Mackrell Turner Garrett’s experienced Commercial Law team.

The following two tabs change content below.
Maung Aye
Maung is a partner in our Corporate and Commercial department. He joined Mackrell Turner Garrett following corporate law positions in London and in a leading regional firm in Essex.