The Cambridge Analytica data scandal that has rocked Facebook is a wake-up call for personal data handlers, Toby Duthie and Frances McLeod of FRA, and Tom Epps of Brown Rudnick argue in GIR.
The Facebook scandal around the alleged misuse of 50 million users’ data by consultancy Cambridge Analytica continues to unfold. The UK Information Commissioner’s Office (ICO) raided Cambridge Analytica on 23 March, after an English court granted the warrant earlier that day. (Lacking the power to carry out onsite inspections without notice, the ICO publicly announced the raid the day before it took place.) According to a 17 March report by The Observer, Cambridge Analytica obtained data from 50 million Facebook profiles. Facebook and Cambridge Analytica deny wrongdoing.
Around US$100 billion has been wiped off Facebook’s share price, but that harm is probably just the tip of the iceberg. The social media giant could face hefty criminal and civil fines (with possible fines per instance of data privacy breach), class actions, plus an exponential increase in regulatory scrutiny. All of this just as the EU General Data Protection Regulation (GDPR) is coming into force on 25 May, with its rigorous protections of personal data and draconian fining regime.
Investigations of data handling infringements have risen significantly over the last few years, and the current ICO investigation is a watershed. So, what should companies do?
Frances McLeod, Founding Partner
Toby Duthie, Founding Partner