Australia’s privacy watchdog has opened an investigation into Facebook in the wake of the Cambridge Analytica data misuse scandal.
Yesterday Facebook revealed that more users than previously thought could have had their personal information passed to the company back in 2014 — saying as many as 87 million Facebook users could have had their data “improperly shared”, thereby confirming the testimony of ex-Cambridge Analytica employee, Chris Wylie, who last month told a UK parliamentary committee he believed that substantially more than 50M Facebook users had had their information swiped.
And while most of these Facebook users are located in the US, multiple millions are not.
The company confirmed the international split yesterday in a blog post — including that 1 million+ of the total are UK users; more than 620k are Canadian; and more than 300k are Australian.
Though in tiny grey lettering at the bottom of the graphic Facebook caveats that these figures are merely its “best estimates” of the maximum number of affected users.
After the US, the largest proportion of Facebook users affected by the data leakage were in the Philippines and Indonesia.
In a statement today the Australian watchdog (OAIC) said it has opened a formal investigation into Facebook.
“The investigation will consider whether Facebook has breached the Privacy Act 1988(Privacy Act). Given the global nature of this matter, the OAIC will confer with regulatory authorities internationally,” it writes. “All organisations that are covered by the Privacy Act have obligations in relation to the personal information that they hold. This includes taking reasonable steps to ensure that personal information is held securely, and ensuring that customers are adequately notified about the collection and handling of their personal information.”
We’ve reached out to the National Privacy Commission in the Philippines for a reaction to the Cambridge Analytica revelations.
Indonesia does not yet have a comprehensive regulation protecting personal data — and concerned consumers in the country can but hope this latest Facebook privacy scandal will act as a catalyst for change.
Elsewhere, the Office of the Privacy Commissioner of Canada announced that it was opening a formal investigation into Facebook on March 26. In an op-ed, privacy commissioner Daniel Therrien also wrote that the Cambridge Analytica scandal underscored deficiencies in the country’s privacy laws.
“At the moment, for example, federal political parties are not subject to privacy laws,” he said. “This is clearly unacceptable. Information about our political views is highly sensitive and therefore particularly worthy of protection. We must take action in the face of serious allegations that democracy is being manipulated through analysis of the personal information of voters. Bringing parties under privacy laws would be a step in the right direction.”
Back in Europe, the UK’s data watchdog, the ICO, was already investigating Facebook as part of a wider investigation into data analytics for political purposes which it kicked off in May 2017.
We’ve asked if the agency intends to also open a second investigation into Facebook in light of the 1M+ UK users affected by the CA data mishandling — and will update this post with any response.
Late last month the UK’s information commissioner, Elizabeth Denham, revealed the watchdog had been looking into Facebook’s partner category service as part of its political probe, examining how the company used third party data to inform targeted advertising.
And last month the ICO was also granted a warrant to enter and search Cambridge Analytica’s offices.
Reacting to the Cambridge Analytica scandal last month, Andrea Jelinek, chair of the European Union’s influential data protection body, the Article 29 Working Party — which is made up of reps of all the national DPAs — said the group would be supporting the ICO’s investigation.
“As a rule personal data cannot be used without full transparency on how it is used and with whom it is shared. This is therefore a very serious allegation with far-reaching consequences for data protection rights of individuals and the democratic process,” she said in a statement. “ICO, the UK ́s data protection authority, is conducting the investigation into this matter. As Chair of the Article 29 Working Party, I fully support their investigation. The Members of the Article 29 Working Party will work together in this process.”
Also last month the European Commission’s justice and consumer affairs commissioner, Vera Jourova, told the BBC that the executive body would like to see new legislation in the US to strengthen data protection.
In Europe the incoming General Data Protection Regulation (GDPR) beefs up the enforcement of privacy rules with tighter requirements on how data is handled and a new regime of tougher fines for violations.
“We would like to see more robust and reliable legislation on American side,” said Jourova. “Something similar or comparable with the GDPR. And I believe that one day it will happen also in United States and that’s why I am now so curious how American society will react on this scandal — and other scandals which might come.”
The EC has a specific lever to press the US on this point — in the form of the Privacy Shield arrangement which simplifies the process of authorizing personal data flows between the EU and the US by allowing companies to self-certify their adherence to a set of privacy principles.
I welcome the FTC decision to launch an investigation into #Facebook following the recent revelations and taking into account the #PrivacyShield in their enforcement actions! I will continue to monitor the developments. https://t.co/F3UCm7lD05
— Věra Jourová (@VeraJourova) March 26, 2018
The mechanism was negotiated as a direct replacement for Safe Harbor — after Europe’s top court struck down that earlier arrangement, in 2015, in the wake of the Snowden disclosures about US government mass surveillance programs.
The Privacy Shield arrangement has its critics. It also includes a regime of annual reviews. In the BBC interview Jourova made a point of reminding the US that the arrangement — which thousands of companies rely on to keep their data flows moving — remains under constant review.
She also said she would be writing to Facebook seeking answers about the Cambridge Analytica scandal. “What we want from Facebook is to obey and to respect the European laws,” she added.
For its part Facebook caused confusion about its commitment to raising data protection standards on its platform this week after founder Mark Zuckerberg told a Reuters journalist that it will not be universally applying GDPR for all its users — given the law applies for all Facebook’s international users that essentially means the company intends to apply a lower privacy standard for North American users (whose data is processed in the US, rather than in Ireland where its international HQ is located, within the EU).
However in a follow up conference call with journalists Zuckerberg made some carefully worded remarks that seem to further fog the issue — saying: “We intend to make all the same controls available everywhere, not just in Europe” yet going on to caveat that statement with: “Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places.”
At this stage it remains unclear whether Facebook will universally apply GDPR or not. Zuckerberg’s remarks suggest there will indeed be some discrepancies in how it handles data protection for different users — what those differences will be remains to be seen.
Yesterday the Facebook founder also revealed that search tools on the platform had made it possible for “malicious actors” to discover the identities and collect information on most of its 2 billion users worldwide — essentially confessing to yet another massive data leak.
He said Facebook had now disabled the tool.
As with the millions of Facebook users’ data improperly passed to Cambridge Analytica, the company is unlikely to be able to precisely confirm the full extent of how the search loophole was exploited to leak personal data.
Nor will it be able to delete any of the personal information that was maliciously swiped.