“We have a responsibility to protect your information. If we can’t, we don’t deserve it,” wrote Facebook CEO and Founder Mark Zuckerberg in a full-page advertisement that has appeared in multiple print publications in light of the recent data privacy scandal.
On the weekend of March 17, there were a series of reports gathered from major publications, such as the New York Times and the Guardian, exposing the most recent data privacy scandal: Cambridge Analytica (US and UK), a data-marketing firm operating under parent organization SCL Elections Ltd., managed to capture non-authorized personal information from 87 million US Facebook profiles.
The reports are chilling. The notion that a data company attempted, and succeeded, at poking around personal information sounds like a plot from a thriller – perhaps even a horror movie. It happened nonetheless. We’ve all heard of companies trying to pursue data for ad targeting and content, but reports say that Cambridge Analytica may have had a political endgame. The jury is still out on this one; however, the buzz points towards the speculation that the data swayed the 2016 US presidential election back when it was harvested in 2014.
In the days following the unveiling of the scandal, Cambridge Analytica has seen its profile page suspended from Facebook. The company stated in a press release: “Cambridge Analytica’s Commercial and Political divisions use social media platforms for outward marketing, delivering data-led and creative content to targeted audiences. They do not use or hold data from Facebook profiles.”
Whistleblower and former Cambridge Analytica employee Christopher Wylie spoke before British parliamentary hearing, shedding light on the alleged involvement of the company’s participation in using users’ personal data to influence the 2016 American voting process as well as Brexit.
Cambridge Analytica responded to the allegations by denying any involvement in the illegal acquiring of the personal data of Facebook users with the aim to influence 2016 votes, as commented in a press release, dated March 19.
If you have a Facebook account, you’ve almost certainly used Facebook Login, which allows the user to create an account with a third-party app with Facebook credentials. It’s convenient, but it gives developers access to user information such as email addresses and public profile data.
Since the Facebook data privacy scandal, indicated The Verge, Zuckerberg has attempted to clarify that the company has stopped third-party apps from “getting so much information,” and that Facebook has started, “limiting the data apps users get when they sign up.”
With the soon-to-be-implemented GDPR policy on May 25th, information security is a hot topic for organizations. The advent of the Facebook data privacy scandal demonstrates that companies need to get even tougher and stricter with regulations on privacy. Although the data privacy scandal may not have been a full-on PII breach (read: the Equifax Fiasco), it did ignite global reaction and caused an overnight drop in tech stocks.
When May comes around, and the EU’s GDPR comes into effect, will these kinds of cases be deterred by the data privacy regulation? Will penalties be set in motion?
According to the GDPR website, the new regulation applies to all organizations that process the personal data of EU residents, regardless of geographical location. Moreover, failure to comply with its directives may result in hefty fines, reaching up to €20 million or 4 percent of global annual revenue.
Hypothetically, if the data privacy scandal were to be exposed in the aftermath of the GDPR start date, would Facebook be subjected to heavy fines from GDPR authorities, due to their sloppy measures in data privacy? Considering the momentum surrounding the EU regulation, the above question is worth asking. It implies a series challenges, notably, the ethical nature of establishing a two-tier system, in which one level would comply to the GDPR – as it includes the profiles of all EU residents – and alternatively, the second – involving the profiles of non-EU residents – would be excluded from such protection.
The Guardian explained that “Facebook refuses to promise GDPR-style privacy protection for US users.” In other words, the GDPR will not become standard policy, arching over the entire social network. Instead, the social media giant is implementing several awareness tools with the aim of empowering its users through tougher privacy best practices, as mentioned in The Guardian.
Need for cybersecurity awareness
Today’s cybersecurity landscape underscores the significance of data privacy and its actual frailty – if not strengthened by effective information security awareness catering to organizations, employees, and customers alike. In that respect, Facebook has started to run educational videos in News Feeds that demonstrate how to delete previous posts. These videos also explain what takes place when accounts are deleted, and how to go about data management for ads. With over 20 billion users, Facebook says it will regularly publish videos on various privacy issues and topics.
Facebook’s privacy principles demonstrate the company’s approach to data protection: giving users control of their own data and educating them on how it is being used. Facebook notes that it’s their responsibility to maintain privacy, while also acknowledging that it’s a process that needs to be continuously improved.
Facebook Chief Operating Officer Sheryl Sandberg said: “Our apps have long been focused on giving people transparency and control and this gives us a very good foundation to meet all the requirements of the GDPR and to spur us on to continue investing in products and in educational tools to protect privacy.”
It’s not the first data privacy scandal, and unfortunately, it will not be the last. The Facebook conundrum serves as an example of how vital privacy issues really are. It is a test for all organizations that want to maintain a top reputation in the market. Since businesses profit from the very acquisition of consumer data, users worldwide expect strong data protection – as they should – and demand that organizations genuinely care about their privacy through concrete actions (insert: an effective information security awareness program catered to all end users).
Next week, Zuckerberg will be testifying publicly before US Congress, reported the New York Times yesterday. The corporate mogul will be talking with the House of Energy and Commerce Committee about the way Facebook has poorly handled user privacy in the past, and how the company plans to remedy the situation.