How Cambridge Analytica (And Facebook?) Breached All The Privacy Laws


Justin Cudmore and James True of Marque Lawyers explain the who, what, when, where and WTF of a scandal engulfing one of the world’s biggest companies.

It started with a seemingly innocent personality test on Facebook. More comprehensive than the usual ‘what is your luckiest day?’ or ‘what colour is your dog’s aura?’ tests, this one was created by the University of Cambridge and seemed legit. However, the motives of the academic conducting the test were not.

That academic is Aleksandr Kogan. He collected the data with the intent of selling it to Cambridge Analytica, a data analysis business engaged by the Trump and Brexit campaigns to create targeted ads online. When the punters completed the personality test they agreed that Kogan (and Cambridge Analytica) could use the data. They also allowed access to their Facebook profiles, including likes and friends.

With access to the profiles of the original 270,000 users who took the test, Kogan went on a data scraping spree and collected info from a further 50 million friends of the original users. Cambridge Analytica then analysed that data to create ‘psychographic profiles’ of the users based on the personality measures of openness, conscientiousness, extroversion, agreeableness and neuroticism. Put simply, it worked like this: the personality test results gave the profiles of those individuals. Those profiles were matched against the things those individuals ‘liked’ on Facebook. Those correlations were then applied to the ‘likes’ of the 50 million extra users to predict their personality traits.

For example, someone who ‘likes’ Hello Kitty is probably high on openness but low on neuroticism. Like Lady Gaga? You’re an extrovert. Ads were then targeted to individuals based on their profiles. If you were assessed to be neurotic, you’d see an ad depicting a home invasion.

Moving beyond the likelihood that absent the work of Cambridge Analytica Trump would not be POTUS right now, let’s look at which privacy laws were actually breached by them.

We think most of them, but here are the two biggies:

Serious breach 1: The original 270,000 punters had only agreed that their data could be used for academic purposes, not for targeting political campaign ads. Privacy laws everywhere say you can only use data for the purposes for which you get consent at the time of collection.

Whopping breach 2: They had no consent (at all) to collect the personal information of the additional 50 million Facebook users. Those users didn’t even know their data was collected.

More significantly: Did Facebook also break the law? In Australia, possibly. Facebook routinely shares user data with third parties, but its data policy states the purposes for which the data can be used: it can be shared with a third party only for ‘conducting academic research and surveys’. Political campaigns are a no-no: therefore, Cambridge Analytica breached Facebook’s terms.

Facebook founder, Mark Zuckerberg. (IMAGE: Anthony Quintano, Flickr)

Facebook is claiming this is just a breach of contract by Cambridge Analytica, and not Facebook’s (legal) problem. Mark Zuckerberg eventually released a statement: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you”. He continued: “This was a breach of trust between Kogan, Cambridge Analytica and Facebook.”

Facebook deputy general counsel Paul Grewel went a step further in insulting our intelligence by claiming users “knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.” He also stated “everyone involved gave their consent”.

Sorry not sorry.

The Facebook defence will be: 1. Everyone consented to their data being given to third parties for academic purposes; and 2. It was Kogan and Cambridge Analytica who used it for other purposes, which had nothing to do with Facebook. However, let’s unpack that.

The notion that a business can rely on consent formed by users ticking a box, stating they have read and understood T&Cs which of course they haven’t read, is losing legitimacy. Anna Johnston, a former NSW deputy privacy commissioner, calls the concept “an absurd legal fiction which can no longer stand”. We agree. So does the EU, where new privacy laws with worldwide application are about to come into effect and require consent to be freely given, specific, informed, unambiguous and signified by a clear affirmative action. The tick box won’t cut it any more.

Under Australian privacy laws, businesses have an obligation to take reasonable steps to ensure personal information is not misused by third parties. Facebook freely gave the data to Kogan and Cambridge Analytica who agreed to only use it for academic purposes. Is that where Facebook’s obligations end? Is merely getting a promise to do the right thing enough? We think not.

In investigating the disclosure (which he is doing), the Australian Privacy Commissioner will look at not just the terms of the contract, but Facebook’s size, resources, the complexity of its operations, its business model and the kind of information it holds about us when determining what are “reasonable steps”. It’s not difficult to see that Facebook will be held to the absolute highest standard.

When Facebook was told the data had been misused, it wrote to Kogan telling him to delete it. He didn’t, and Facebook didn’t follow up. Reasonable? The smoking gun, however, is the fact that Facebook employees worked in Trump’s campaign office alongside Cambridge Analytica – it seems unlikely that Facebook wasn’t aware of how the data was being used anyway.

So where to from here?

Zuckerberg has advised that Facebook is already cleaning up its act: it will audit all the apps which access Facebook data, will restrict app’s access to data, and produce a new tool which makes it easier for users to see who has access to their data. That’s progress, but in light of all of this, can they be trusted?

Privacy has been a hot topic for the last few years, but we haven’t seen any serious scalps taken following a breach. However, under the new EU privacy laws the regulators may impose fines up to 20 million Euro or 4% of turnover (that means in the billions for Facebook). The EU has always been at the forefront of privacy law change, and it’s clear with their new laws that they’re getting really serious. We expect they will make an example of someone’s bad behaviour soon after the introduction of the new laws, and that example may be Facebook.

Always a good idea to end with a tortured metaphor. Social media may be the Wild West, but a new sheriff is comin’ to town. Time to bring the children indoors.

Justin Cudmore is a partner at law firm Marque Lawyers. James True is a lawyer with Marque Lawyers.