GDPR is coming soon. The General Data Protection Regulation is being introduced by the European Union on 25th May 2018. The new law on data privacy and data protection significantly strengthens European citizen’s rights to online privacy and control of their personal data. Despite being a European initiative, GDPR will have a global impact on all the major technology companies.
You might think that this would be a bad thing for companies such as Facebook. They have achieved much by capturing and using personal data, in ways that are beyond the understanding of most people. But in the last month or so, Facebook’s reputation has taken a quite a hit. The revelations that millions of users unwittingly had their Facebook data harvested by Cambridge Analytica and used to target manipulative political messages at them is the reason for this unrest. Current news stories suggest we’ve reached the limit of what the public is willing to tolerate from Facebook.
In light of this, GDPR could provide Facebook with an ideal opportunity to repair their reputation and prevent these issues recurring. If they’re willing to embrace it. What might the future may hold for Facebook in a GDPR world? Can they use GDPR to rebuild their reputation with the public?
How Cambridge Analytica exploited Facebook’s data
Before we think about GDPR, we’ll remind you of why Facebook’s reputation has been falling lately. Over the last few weeks, you’ve been hearing about the relationship between Facebook and Cambridge Analytica. The analytically driven company which managed to obtain data on millions of Facebook users several years ago.
In 2014, Aleksandr Kogan, an academic at Cambridge University and founder of the company Global Science Research, created a Facebook app called “thisisyourdigitallife”. This app involved a personality test and collected data from people’s Facebook profiles.
Hundreds of thousands of people were paid to use the app and have their data collected. They believed the data was being collected for academic purposes. However, the data was actually passed on to Cambridge Analytica, a firm who use data and analytics as part of political campaigning. Only at this point, when data was passed on to a third party, were Facebook’s terms and conditions breached.
Personality models based on your data
In addition, the app did not just harvest information from the Facebook profiles of the people who used it. It also harvested data from all the Facebook friends of these people. Facebook allowed apps to do this at the time, although this is no longer permitted. As a result, the number of people affected far exceeds the number of people who used the app.
About 270,000 users consented to having their data harvested. However, some estimates now suggest that 87 million users could have had their data shared with Cambridge Analytica. Most of these people were based in the USA.
Whistle-blowers claim that this personal data was then used to build detailed personality models on these millions of people. These models could be used to profile people and target political advertising that would be most effective to them personally. Cambridge Analytica have worked on several high-profile political campaigns in recent years, most notably Donald Trump’s campaign in the 2016 US presidential election.
Cambridge Analytica claim the Facebook data was deleted after they found out, in 2015, that it had not been obtained properly. They also claim that they only used legitimately sourced data in their work on the 2016 election.
Is Facebook really the bad guy?
People often say of Facebook and similar companies that when you’re not paying anything for their services, it’s because you are the product. I find that a bit excessive (astonishingly it often comes from people that sell a product for money, maybe even a product that Facebook provides for free). Incidents like this illustrate where that argument comes from.
Even with all the technological advances of recent times, the value of our personal data is still underestimated by so many people. And it’s true that data on a single person probably isn’t that valuable at all to someone like Facebook. However, what this affair shows is the value of personal data when you have data on thousands, or even millions of people. Somewhat counter intuitively, having data on more people allows companies like Facebook to produce more targeted, individualized content and advertising. This allows them to easily identify other people with similar characteristics to you.
At a time when social networks and other online services we use are enormous, global companies, events like this expose how valuable data is to these companies.
Facebook might think this incident shouldn’t reflect poorly on them. While the data came from Facebook, it was given to a third party against their terms of service. However, this misses the point. I suspect the main issue that makes people uncomfortable with this affair is not necessarily who passed their data to who, but more what their personal data was used for. Manipulating people for political ends simply doesn’t sit well. And especially at a time when fake news and misinformation campaigns get so much attention worldwide.
This particular incident may have involved an external company creating detailed personality profiles, but who among us thinks that Facebook aren’t creating similar models themselves? I suspect that part of Facebook’s issue with this whole affair is that it exposes just what can be done with personal data to a public that largely remains blind to it.
Policies change, but data remains
Facebook changed their policies on apps in 2015. Apps can no longer harvest data on people’s friends without the consent of those friends. As a result, it shouldn’t be possible for this specific incident to occur again, but that doesn’t mean that a similar incident couldn’t happen in the future.
However, even with Facebook changing their policy, any data that got out into the wild before that stayed out in the wild. This was still available and being used years later. Indeed even now, it appears much of the data included in this app can be found on the Internet, if you know where to look.
In many ways, this illustrates the permanency of the data we put onto the internet. For most people, using Facebook is a very transactional activity. They log on to Facebook, like an image, share a few posts, get a dopamine hit and then log off until their next visit. After a couple of hours, users would probably struggle to remember any of the pages they visited. But Facebook remembers everything, much better than humans do. Arguably, Facebook know more about us than we do about ourselves. Precisely because it remembers thousands of things that we forget in an instant.
GDPR and the Cambridge Analytica debacle
From an individual’s point of view, there were clearly numerous failings that led us to where we are today. However, if GDPR was in place and being adhered to, we can be fairly confident that it would not have happened. GDPR is a big regulation, but it has several provisions that would have prevented the affair from unfolding the way it has.
- Consent: The Cambridge Analytica app was able to harvest as many Facebook profiles as it did primarily because it automatically collected data from friends of the people who used the app. Those friends did not explicitly consent to their data being used in this way. Facebook has already ended this practice, but nonetheless GDPR makes clear that companies must explicitly obtain consent to use their data. This includes notice of the specific purpose of the data collection.
- Clear language: Consent is all well and good, but one of the real innovations of GDPR is in how consent is obtained. Currently, many apps, websites and so on obtain consent by providing you with several thousand words of boring legal jargon, WITH SOME BITS ALL IN CAPITALS FOR NO OBVIOUS REASON. Nobody reads these things and so GDPR will require consent in an easily accessible form, using clear and plain language. GDPR also requires it to be as easy to withdraw consent as it is to give it. This may not have affected the Cambridge Analytica affair in particular, but will affect Facebook greatly.
- Breach notifications: Facebook became aware that Cambridge Analytica had obtained their data in 2015. However, they did not notify the people affected, as they had been given “assurances” that the data was deleted. Under GDPR, companies are required to notify affected parties of any data breaches within 72 hours of becoming aware of it. In this case, the Cambridge Analytica affair would have come out much sooner if this requirement had been in place.
How will GDPR affect Facebook in the future?
As we said at the start, GDPR may be a European regulation, but its effects will be felt throughout the world. In the current climate, it’s likely that Facebook will apply most or all of the principles of GDPR worldwide.
Facebook obviously relies on the presence of large quantities of data about everyone on its site. That is in effect the raw material that they process into something that makes them money. However, we need to remember that they are not only constrained by technical limitations on how much data they can obtain on you. They are also constrained by the weight of public opinion, and when that constraint gets broken, it is a painful experience for all concerned. Facebook discovered this over the last month.
In response to the current situation, Facebook is rolling out a single centralized system for controlling privacy and security settings. This is something that they would probably have been doing for GDPR compliance purposes, but they can now roll it out worldwide and outside Europe; this, in particular, makes it look like a response to the current situation. In this way, GDPR can provide them with a useful Public Relations boost, while also reducing the likelihood of Public Relations crises in the future.
Yes, GDPR may reduce Facebook’s access to personal data. Some people might change their privacy settings so that Facebook knows a little less about them. But most people won’t do anything of the sort. As a social network, Facebook knows better then anyone that online outrage, hashtag-led campaigns and the like rarely translate into concrete actions in the real world. For every person who actually leaves Facebook or heightens their privacy settings over this, many others will just keep using it as before.
Even with some reduction in the data available to them, Facebook will be able to work with what they have. They’re a clever group of people, and I personally think they’ll have little trouble analyzing you with 80 or 90% of the data they currently use.
Conclusion
There’s no doubt that the last month has been damaging to Facebook, but it is unlikely to have a major impact on them in the long run. The general public are surprisingly ambivalent about scandals of this nature that I don’t expect a large-scale exodus of users from Facebook.
However, the overall impact of GDPR is more interesting. Facebook have dealt with regulatory issues in the past, and I’m sure they’ll be able to deal with this one too. The likelihood is that their access to data won’t be restricted too much, but even if it is they can probably do more with less data. In fact, the data and privacy practices that will be forced on Facebook by GDPR are already being used to boost their public image. In the end, GDPR may actually help Facebook improve their reputation in the eyes of the general public.