What if GDPR had been in force in 2014?

It is hard to escape the ever present “scandal” of the Facebook and Cambridge Analytica alleged exploitation of the personal data of 50 million Facebook users, apparently obtained when Cambridge Analytica “exploited Facebook to harvest millions of people’s profiles and built models to exploit what we knew about them and target their inner Demons.” (The Observer).

If everything reported in the media is to be believed, the data was gathered in 2014 through an app built by a Russian American researcher called Aleksandr Kogan.

Reports suggest the users who were targeted were Americans based in the United States but interestingly, the information was obtained, allegedly, following “consent” of 270,000 users who agreed to have their data collected and used “for academic research.”  Apparently, they received a small payment for their agreement to this.

Nothing wrong with that you might think? However, one of the problems appears to be that the app not only collected the consenters personal information, but also their friends, none of whom allegedly knew anything about it.  It is also reported that the information has allegedly been used to create millions of “psychographic” profiles, “…that could then be used to design targeted political ads” (Source www.aljazeera.com 28/03/2018).

The upcoming General Data Protection Regulation (GDPR) implementation on 25 May 2018 brings data protection provision into sharp focus and we thought it would be a useful exercise to look at what might have been the consequences if the alleged breaches of data protection legislation had occurred after the GDPR came into force.  Of course, there are likely to be significant consequences anyway under the existing rules governing data protection in the UK, The Information Commissioners Office are looking closely at Cambridge Analytica records as we speak!

So, if the GDPR had been in force when this alleged information harvesting, profiling and targeted advertising to sway potential voters had taken place, and for talking’s sake, this had been millions of EU citizens, what might have been the consequences?

Before we go on, we should say it has been widely reported that apparently, Cambridge Analytica deleted all the data received from Kogan’s company, Global Science Research (GSR) once it found out the personal data had not been obtained in line with Facebook’s policies. They also said that none of the GSR information was used by Cambridge Analytica as part of the services it provided to the now president of the United States, in the 2016 presidential campaign.

Whatever the situation we must bear in mind that the existing Data Protection Act 1998 was born out of the data protection directive drawn up by the European commission in 1995 and this was well before Facebook even existed.

Since before Facebook’s birth in 2004, a significant majority of internet users have used Information Society Services (ISS) on a regular basis, and apparently for free.  But the quid pro quo is that the ISS operators gain our data and can use it to prepare profiles on individuals and target marketing.  Has anyone reading this article who uses the Internet on a regular basis, not been bombarded with advertising, strangely based on items that we might have purchased on the Internet or websites that we might have looked at in recent years?

It is likely that we have all been significantly profiled already and our data used to target market us, but that is another story.

The GDPR seeks to place significant controls on ISS providers after 25^th May 2018 so, let’s have a look at some of the provisions and how they might have been relevant in the above hypothetical scenario, the harvesting and use of the data alleged in the press during recent weeks.

So, what might have been the relevant provisions? It’s worth reviewing what the material scope of the GDPR is.  Inside scope includes “personal data processed wholly or partly by automated means” and intended to be or is part of a filing system. Outside material scope would be any activity outside of EU law, used in border checks, used purely personally or for household reasons or in pursuit of the prevention of crime.

Territorial scope includes “processing of personal data by a controller or a processor in the union, regardless of whether the processing takes place in the union or not.” This indicates that if the processing of the personal data by Cambridge Analytica, which allegedly took place in the union, had happened after GDPR implementation, it would have been within material and territorial scope!

So, hypothetically if the data would have fallen within material and territorial scope, what would the controllers and the processes of the data be required to do?

The principles regarding processing of the personal data are laid down in Article 5 (1) and require that personal data shall be, processed lawfully fairly and transparently, collected for specified explicit legitimate purposes, adequate, relevant and limited to what is necessary (for the purpose), accurate and where necessary kept up-to-date, stored for no longer than is necessary and processed in a manner that ensures appropriate security of the personal data.

Article 5 (2) requires that “The controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (accountability).”

In order to show that the data has been processed lawfully, the controller and processor must demonstrate one of the following:-  That it had been given consent or, the processing was necessary to perform a contract between the controller and the data subject or, the controller/processor were under a legal obligation or, processing was needed to protect the vital interests of the data subject or,  processing was in the public interest or in the legitimate interests of the controller or data subject.

Where processing is based on consent, the controller must demonstrate the consent was given. Consent would usually be accompanied by a privacy notice which would inform the data subject of exactly what the purposes of the processing of the data would be!

Any special categories of data would have required further conditions to be met, special categories include things like religious or philosophical beliefs, trade union membership, genetic data, biometric data, political opinions etc. In the case of special categories, political opinion being one of those, explicit consent must be given to the purposes of processing.

It goes further, all the data subjects who might have been “victims” of possibly unlawful processing, have rights. These include transparency of processing, obtaining information and access to personal data, rectification, erasure, the right to object to processing and automated individual decision-making.  These rights would have to be explained to the data subject when the data was harvested.

Article 13 requires that substantial details would need to be provided to the data subject where the information was collected from the data subject, at the time it was collected. And article 14 requires substantial information to be provided to the data subject where the personal data have not been obtained directly from the subject! If the data was going to be processed, used or transmitted to a third party, the data would have to be given to the data subject prior to its transmission and, at the latest, within one month of obtaining the information!

Under the GDPR, the rights of the data subject would have to be explained to them at the time of data harvesting and before any processing or transfer of the data took place.  Breaches involving the principles of processing, lawfulness of processing, consent, special categories of data and breaches of the data subject rights and freedoms would all be subject to the mandatory breach reporting under GDPR which imposes a time deadline of 72 hours from the time the breach was known except in certain exceptional circumstances!

If data subjects had experienced breaches of their rights and freedoms under the GDPR, then this could have led to a potential fine of 4% of the global turnover of the breaching controller and processor (jointly and severally)!

Now obviously this doesn’t apply to Facebook or Cambridge Analytica as the GDPR isn’t in force yet, but it is worth remembering that Facebook’s global turnover might have amounted to approximately $40.7 billion in 2016 (source www.statista.com  28/03/2018).  Whatever the truth or accuracy of this figure, 4% of $40.7 billion amounts to $1.628 billion! If you are using the UK version of billions that would be $1,628,000,000.  Facebook have already seen billions of dollars wiped off the value of their stock following the emergence of the story.  These would have been scary figures to any Director or CEO if it had happened after 25^th May 2018!

In addition to the possibly swingeing penalties that might have been imposed, the data subjects would have had rights to raise a claim for compensation individually, and to gain access to their data and processing records and this would have had to have been provided within 30 days of the data subject raising their request, at no charge to them.   We suggest that it wouldn’t matter how big an organisation was, if it had to deal with disclosure requests running into the millions, which is possible where millions of records might have been involved, they would at best struggle to comply…. bringing with it the possibility of more fines and compensation claims. Luckily, for all the companies involved in the alleged activities, the current limit on fines which the UK Information Commissioner can levy for a breach of data protection rules, is £500,000.

Let’s hope that the new rights, freedoms and protections enshrined in the GDPR, will lead to much improved protection and use of personal data by all ISS providers, because the European Commission wants the level of the fines to be “effective, proportionate and dissuasive.”  If the alleged happenings reported in the press had occurred after 25 May 2018, we suggest they certainly would have been. We await developments with baited breath.

Kingdom Claims Services Ltd ©