Thanks to Facebook, expect GDPR to spread beyond the EU
Since the General Data Protection Regulation was first developed, I have been predicting that the call for personal data protections would expand beyond the companies directly impacted by GDPR.
In early March – just a few weeks before the voter manipulation scandal surfaced – Information Management published an article of mine titled “GDPR Violations – Hefty Fines or Broken Reputations; Which Is Worse?” The premise was that as consumers start to see what GDPR compliance actually means – and by extension what noncompliance looks like – they will start expecting ALL companies they do business with to comply, regardless of whether those companies are legally obligated to do so or not. The consequences of noncompliance will be (at the very least) broken reputations and loss of customers.
As it turns out, this prediction has been proven right much sooner and more strongly than expected. And the consequences appear to be more dire than anticipated. The reason: The personal data misuse scandal involving Facebook and Cambridge Analytica.
In one week, Facebook stock plunged by $70 billion; both the US House Commerce Committee and the UK Information Commissioner’s Office are investigating; and the internet is flooded with advice on how to quit Facebook. All this comes well before the GDPR enforcement date of May 25, 2018.
While Facebook is not technically required to comply with the GDPR for data on Americans residing in the US, several of its current policies fall significantly short of the upcoming GDPR protections.
Right to be forgotten
Consumers have the right to be forgotten. This means that if asked, companies must erase all personal data, in their own databases and in the databases of any third parties to which information has passed. Not only does Facebook acknowledge the difficulty of deleting data once it leaves their platform, but it also places the onus on consumers to ensure erasure.
In the case of third-party apps accessed by a Facebook login (the cause of the current Facebook nightmare), consumers are given a user number and instructed to contact the app developer directly to delete any personal information collected from the Facebook platform. Under GDPR, Facebook would be directly responsible for the deletion of information from all databases, internal or external. The inability to accomplish this would be a clear violation.
Clear and unambiguous consent must be obtained for all personal data collected and used, and consumers have the right to ask what types of profiling is being done with their personal data. Facebook users who took the personality survey that initiated this data collection did not consent to having personal data used in a psychographic voter targeting model.
Worse, the survey also collected (legally according to Facebook policy) personal data of Facebook friends of survey takers. Meaning Cambridge Analytica obtained and used data from consumers who gave no permissions, explicit or implicit. Facebook has since reversed that particular loophole, but the damage is already done.
Policies like this would be an egregious violation of GDPR protections. In fact, the entire Facebook model of allowing third-party apps to collect users’ personal data without gaining an understanding of how that data will be used (and transmitting that understanding back to the users) seems to violate the GDPR.
Right to review and remediate
GDPR provides consumers with the right to ask for copies of all personal data and also to demand remediation if the data is incorrect. This right also extends to data residing in third-party databases.
Facebook has no way of conforming to this provision today, although it is limiting the amount of data apps can receive and investigating apps that had access to data in the past. In a full-page ad placed in several major newspapers over the weekend, Facebook stated that it would be reminding users of which apps have access to large amounts of personal data so users could “shut off the ones you don’t want anymore.” While this is a commendable first step, it does not comply with either review and remediate or the right to be forgotten.
The bottom line? The outrage is significant enough that even Facebook expects to see changes in the laws around digital data. Mark Zuckerberg has said that it is not a question of whether there will be legislation, but rather what type. The strong and immediate reaction to this incident in both the US and the UK should serve as a warning shot for all companies collecting and using consumer personal data, digital data in particular.
Take a good hard look at the protections enacted by the GDPR, because like it or not, they will apply to you one day. And that day may come sooner than you think.