Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of personal information. Legislators in the U.S. and the UK have called for hearings.

The Federal Trade Commission (“FTC”) has confirmed it is conducting an investigation into whether Facebook violated the terms of its November 2011 consent decree requiring it to, among other things, “not misrepresent . . . the extent to which it maintains the privacy or security of [personal] information,” and “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [personal] information.” Several state attorneys general have also announced investigations, and Facebook faces at least one a shareholder lawsuit alleging that Facebook did not properly disclose the third-party access to users’ personal information.

Starting in 2014, Aleksandr Kogan, a Soviet-born academic based out of the United Kingdom, used Facebook developer tools to create a personality test app named “thisisyourdigitallife,” which was marketed as a “research app for psychologists.” Approximately 270,000 users downloaded and used the app and, by doing so, consented to give access not only to their own Facebook information, but also to that of their friends as well. In this manner, the app was able to leverage 270,000 users to access 50 million profiles. The harvested information included the cities where users lived and their “likes” on Facebook.

Several media commentators and public officials have characterized this incident as a data breach. As the news began to emerge, Facebook stated that there was no breach and no violation of the FTC consent decree because Kogan gained access to this personal information in a legitimate manner, users consented and knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or disclosed.

Facebook further stated that Kogan violated Facebook’s policies and the app’s representations to users by selling that data to a third party, Cambridge Analytica. When Facebook learned about Kogan’s activities in 2015, it removed the app from its site and obtained certifications that the data had been destroyed. Earlier this week, Facebook hired a digital forensics firm to investigate whether and to what extent any copies of such data may still exist.

The privacy concerns expressed by the regulatory and private sectors come shortly before the May 25, 2018 effective date for the EU General Data Protection Regulation, with its emphasis on individual control and accountability for the use of personal information. Stay tuned.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.