The investigation into the reported massive data leak by Facebook and the inner workings of Cambridge Analytica should be of concern to all of us, in what appears to be the most serious violation of personal data of all time. It’s imperative the European Parliament and the European Commission urgently investigate what happened.
While the UK Parliament has already conducted hearings with Facebook and Cambridge Analytica about possible interference with the Brexit referendum, clearly this is a matter of broader European interest. Europe already has great cause to be alarmed by Russian interference in European politics and our information ecosystems more generally. Steve Bannon, who worked with Chris Wylie to set up Cambridge Analytica and went on to be Donald Trump’s chief of staff, has now set his sights directly on continental Europe, cosying up to all sorts of nationalist and Christian-right wing movements in an attempt to perpetuate his alt - right culture war, from Marianne Le Pen to Orbán, the Polish PiS government party, the German Alternative für Deutschland, the Dutch Christian Union, or indeed Nigel Farage.
The practices of Cambridge Analytica and Facebook must be assessed against European data protection laws, in particular the General Data Protection Regulation that will soon enter into force. Under the forthcoming GDPR, Facebook would probably be slapped with fines of up to 4% of their annual turnover. The crocodile tears of Zuckerberg will not help him.
National Data Protection Authorities must use their full powers to investigate the allegations made by Chris Wylie, without delay. It would appear that Facebook has grossly violated data protection laws by failing to report the unlawful use of its customer data by Cambridge Analytica. Under British data protection laws, and indeed that of many other European countries, it’s illegal for personal data to be sold to a third party without consent.
In addition, the kind of data processing mentioned in the Cambridge Analytica Files, is labelled “market research” and “academic research”. There is a potential weak spot in the GDPR which provides for exemptions from strict data protection rules for research, a hot topic during the negotiations on the GDPR. It must quickly be assessed if indeed the research exemption can be abused in this way, and if so, this loophole must be closed as a matter of urgency.
Likewise, revelations suggesting that Cambridge Analytica had in fact worked with Russian state companies on numerous projects, when they always denied any link to Russia, must be explored. So too should reports that the DUP and Vote Leave spent hundreds of thousands of pounds paying a firm linked to Cambridge Analytica to help secure the Brexit vote. The relationship between the Mercer family, Nigel Farage, Steve Bannon and their links with Cambridge Analytica is a murky one.
The European Commission now also needs to get serious about protecting our privacy and personal data outside Europe, including with the Americans and with the UK, post-Brexit. Arrangements like Privacy Shield were never remotely adequate, and the case at hand underlines the urgency of the European Union adopting proper protections. This could have an impact on any future EU - UK data adequacy arrangements.
Sharing personal data in the context of law enforcement and security may be necessary, but if there are no sufficient safeguards, they may also become a powerful political tool in the hands of parties outside Europe.
Currently, the European Parliament and The European Council need to agree on a new e-Privacy Regulation. EU Governments, as well as the EPP and ECR groups in the European Parliament are, as is often the case, pressing for weaker protection, in particular on the tracking & tracing of people. That is totally irresponsible.
Clearly, privacy and data protection laws by themselves are not enough to protect democracy. But they are an essential part of the protection against forces aiming to undermine democracy. Privacy and data protection are not about left wing vs right wing. The right to privacy and data protection is not just an individual right. Protecting privacy, is also essential for democracy, in many different ways. The Cambridge Analytica Files are the perfect demonstration of that. Europe has to wake up and protect its democracy. Privacy and data protection are part of our defense lines against undue interference. It is incomprehensible why we invest heavily in fighting “fake news”, but we are so careless about privacy protection.