Jeffrey L. PostonPeter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTBrandon C. Ge

Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of personal information. Legislators in the U.S. and the UK have called for hearings.

The Federal Trade Commission (“FTC”) has confirmed it is conducting an investigation into whether Facebook violated the terms of its November 2011 consent decree requiring it to, among other things, “not misrepresent . . . the extent to which it maintains the privacy or security of [personal] information,” and “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [personal] information.” Several state attorneys general have also announced investigations, and Facebook faces at least one a shareholder lawsuit alleging that Facebook did not properly disclose the third-party access to users’ personal information.

Starting in 2014, Aleksandr Kogan, a Soviet-born academic based out of the United Kingdom, used Facebook developer tools to create a personality test app named “thisisyourdigitallife,” which was marketed as a “research app for psychologists.” Approximately 270,000 users downloaded and used the app and, by doing so, consented to give access not only to their own Facebook information, but also to that of their friends as well. In this manner, the app was able to leverage 270,000 users to access 50 million profiles. The harvested information included the cities where users lived and their “likes” on Facebook.

Several media commentators and public officials have characterized this incident as a data breach. As the news began to emerge, Facebook stated that there was no breach and no violation of the FTC consent decree because Kogan gained access to this personal information in a legitimate manner, users consented and knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or disclosed.

Facebook further stated that Kogan violated Facebook’s policies and the app’s representations to users by selling that data to a third party, Cambridge Analytica. When Facebook learned about Kogan’s activities in 2015, it removed the app from its site and obtained certifications that the data had been destroyed. Earlier this week, Facebook hired a digital forensics firm to investigate whether and to what extent any copies of such data may still exist.

The privacy concerns expressed by the regulatory and private sectors come shortly before the May 25, 2018 effective date for the EU General Data Protection Regulation, with its emphasis on individual control and accountability for the use of personal information. Stay tuned.