In 2014, a simple Facebook quiz app, known as “thisisyourdigitallife” was created purporting to assist in a research project.
It utilised the increasingly popular app based ‘Facebook Login’, which allows users to create profiles without having to input new credentials. The user, by logging in with this service, agrees to share a range of information from their Facebook profile with the developer. Around 270,000 individuals used Facebook Login to access this app.
In 2015, unbeknown to the individual, Facebook’s terms of service afforded developers unfettered access and the ability to collect information from the user, including their friends list information. Therefore, developers were not just able to access the user’s data, but also data from their friends, all under the same consent.
From the 270,000 quiz takers, data was able to be harvested from 50 million Facebook users. This data included locations, interests, photos, status updates and much more. All of this followed and was allowed under Facebook’s terms of service. From this data trove, the company was able to match user information with other records and build entire profiles.
It is estimated that around 30 million individuals’ data was then sold to Cambridge Analytics. The accusation is that this data was then used to influence the US presidential election by micro-targeting and influencing the electorate. User data is a treasure trove that companies have exploited for many years, and this is a foreboding example of the power of unchecked data harvesting.
Had the breach occurred after the 25 May 2018, when the General Data Protection Regulation (GDPR) comes into force, Facebook could have been liable for a fine of 4% of their total global revenue. The GDPR will afford EU citizens the “right to be forgotten”. An EU citizen can request that any service provider in the world, which is connected to the EU by any means, to destroy or hand over (in a format of your choice) your personal data they hold.
GDPR and informed consent
As shown above, the current industry practice is a myriad of ‘Opt-out’ options, pre-ticked boxes, bundled consents and back door routes of collecting as much personal information on the individual as possible with a minimal level of consent. The philosophy of consent under the GDPR is that it must be freely given, specific, informed and an unambiguous indication of the individual’s wishes – and one of the main vehicles is ‘opt-in’.
There are 5 commandments to live by when looking at consent under the GDPR. Namely consent must be:
- Unbundled – you will not be able to pool together multiple consents into a single form of consent. The consent given should also not be a precondition of entering and using the service (except if necessary for the base functioning of the service provided).
- Active – no longer will it be acceptable to have pre-ticked boxes or complicated consents such as negative requests. Clear, obvious, positive and informative tick boxing systems will be the key to success under the new regime.
- Granular – gone are the days where you can bundle consent for multiple processing platforms. It will be best practice to separate consents for platforms including, but not limited to, SMS and e-mail.
- Named – Every company and/or third party that may use the personal data will be required to be named and made available to the individual when consent is given. This is causing a big stir as it will effectively lift the veil on how data is often used under the current regime.
- Easy to withdraw/unsubscribe – It must be clear to the individual giving consent what rights they have and how they may change and withdraw consent. It should be as easy to withdraw as it is to give consent.
The issue for companies that do not amend their policies now, is what happens when the GDPR comes into force? Supply chains will be requiring warranties of compliance and customers will be aware of their new rights so compliance is not something that can be avoided. It is unlikely that the regulator will adopt a scorched-earth approach to policing on day one, but this becomes a new area for competitors to highlight others’ noncompliance. Companies are likely to be able to rely on consents already given on the proviso that the systems already in place are GDPR compliant, namely the company’s data security provisions, systems and measures. What is clear is that there needs to be evidence of privacy by design as a guiding principle. So there is a lifeline offered to highly compliant systems. What is clear though is the need for some level of proactive measures to be taken.
Our bespoke GDPR team has years of experience advising and consulting on matters relating to data protection, privacy, risk, security and breach. Our lawyers have regularly delivered businesses with data protection strategies and mapping, in order to locally comply with UK and EU regulations. If you wish to discuss your GDPR requirements, please contact James Simpson on 020 3814 2020 or email firstname.lastname@example.org