Move swiftly so they stop breaking things! Seven things policy-makers can do about the Cambridge Analytica and Facebook Scandal
The ongoing Facebook and Cambridge Analytica scandal is a wake-up call for UK policy-makers who too often encourage and promote digital industries over the protection people’s personal data. The scandal has shown that the public is concerned by companies’ exploitation of their data. The current lack of transparency into how companies are using people’s data is unacceptable and needs to be addressed.
Reform should not be limited to the behaviour of individual companies. Consumers are confronted with an entire hidden ecosystem of companies that are harvesting and sharing data. From credit scoring and insurance quotations to targeted political communication, this data is being used for far-reaching purposes.
Now is the time to identify the stringent safeguards that are needed to protect our data.
Here are a few simple actions politicians must take. We urge you to send these recommendations to your Member of Parliament.
What policy-makers need to do about the Facebook and Cambridge Analytica scandal
1) Defend privacy as a fundamental right — stop playing data protection against innovation
Data protection and privacy are fundamental rights. To enshrine data protection as a fundamental right in the UK post-Brexit, the EU Charter of Fundamental Rights needs to be retained. Data protection and privacy rights are also fundamental to users’ trust in new technologies, because they addresses the vast power imbalances between consumers and those that process their data. Without such consumer trust, innovation cannot thrive. Countless polls and consumer surveys show how consumers’ trust in new technologies like AI ultimately depends on how these technologies prove to be effective in protecting consumers’ privacy.
See this Eurobarometer study
2) Data Protection law is what we need, not market-driven ‘Data Ownership’
People should be in control over their data, no matter which company or agency holds it. Yet politicians are promoting ‘data ownership’ instead. Ownership implies that people can sell away their fundamental rights. This is a false solution that risks exacerbating the imbalance of power rather than addressing it. It will result in the exploitation of people’s economic concerns at the expense of their personal data and fundamental right. Instead, data protection law provides individuals with rights and protections on the processing of all personal data, regardless of who holds it. Privacy shouldn’t be a luxury.
3) Data Protection and consumer protection authorities need more resources to do their job
The Facebook and Cambridge Analytica scandal shows that even blatant violations of the law only ever reach the public eye if someone investigates. Data protection and consumer protection authorities play invaluable roles by instigating investigations, responding to complaints and taking enforcement action. Government must provide more resources and powers to consumer and data protection authorities to do their job. In the case of the Information Commissioner, the Data Protection Bill currently in the House of Commons provides a golden opportunity.
4) Political parties cannot be above the law
The current draft of the UK Data Protection Bill contains a number of problematic provisions. Of particular concern is paragraph 17 of Schedule 1 to the Bill which permits registered political parties to process personal data ‘revealing political opinions’ for the purposes of their political activities. While political parties’ engagement with voters is a key part of a healthy democracy, we are concerned that this exception would continue to give political parties too much leverage in processing data for targeted online advertising. Paragraph 17 should be removed from the Bill or at the very least amendments made to ensure that the scope of the condition is proportionate and adequate safeguards are established.
See Privacy International’s evidence on the UK’s Data Protection Bill and proposed amendments.
5) Individuals need effective remedies
The current scandal shows that many unlawful practices take place without being seen, and are only revealed when independent researchers conduct lengthy and detailed investigations. This is why the EU General Data Protection Regulation (GDPR) includes Article 80.2, an optional provision, that would allow qualified non-profit organisations to pursue data protection infringements on their own initiative. Sadly, the Government chose to not include this provision in the UK’s Data Protection Bill. We urge the House of Commons to implement this crucial provision.
See Privacy International’s evidence on the UK’s Data Protection Bill and proposed amendments.
6) Support a strong ePrivacy regulation
If you are worried about third party data harvesting on Facebook, you should be really worried about the state of the art in online and location tracking. The draft EU ePrivacy Regulation complements the GDPR by providing clear and specific rules on issues such as tracking of individuals online and offline and the use of location data. Companies are lobbying to prevent this regulation from being adopted. Governments are dragging their feet and there is a real risk that the law will not see the light of day, despite the strong support of the European Parliament and consumer protection organisations.
See Privacy International briefing on ePrivacy regulation.
7) A right to know when you’re politically targeted
Political campaigning and advertising must be more transparent and therefore accountable. Political parties need to report which data analytics companies they have contracted, how much they are paid, and exactly what role these companies will have in campaigning. Simply describing activities as ‘surveys’ or ‘research’ is unacceptable as data can be misused under such vague descriptions. In addition, political parties must be transparent about which online targeted messages they have funded.