Ireland's data protection commissioner says around 2,000 internet connections in Europe are linked to the Facebook/Cambridge Analytica data scandal in the US.
Amid ongoing controversy over how much the 2016 US president election was influenced by Facebook user data, the data protection commission has confirmed that in 2011 it viewed as problematic the "third-party consent" justification for sharing Facebook user data with app developers.
Until 2014, default Facebook settings allowed an app installed by one Facebook user to “scrape” data off all of that user’s friends too – without informing them.
This idea of "third-party consent" was flagged as illegal by Austrian privacy campaigner Max Schrems in a 2011 complaint to the data protection commissioner. It was one of the issues raised by the Irish data body in two audits with Facebook, ending in 2012.
A spokesman for the data protection commissioner told The Irish Times that by its assessment "the collection and processing of friend profile data and 'likes' history could not be justified in the context of app developers on Facebook's platform engagement with users".
Contracts
During “detailed discussions”, according to a data protection commissioner spokesman, Facebook insisted third-party consent was lawful because it would “improve the ‘in-app experience’ for users”. In addition, their contracts with app developers forbade the onward sale and or disclosure of data to third parties without user consent.
A personality test app passed on data on around 50 million Facebook users, mostly in the US, to Cambridge Analytica for use by the Trump election campaign. Facebook blocked the firm from the site in 2015, and ordered it to delete the data, but did not inform users of the data transfer.
Although some interim controls were introduced after its two audits, the data protection commissioner confirmed it was three years after the original Schrems complaint and its first audit that Facebook restricted its “third party consent” sharing of data – because the social network updated its platform.
Three years
Asked why it took three years – and whether the change came as a result of regulatory pressure or regular software updates – the data protection commissioner said data protection regulation required an “iterative approach”.
The data protection commissioner, front-line regulator for 500 million Europeans and 374 million regular Facebook users in the EU, says its first discussions with Facebook indicate the Cambridge Analytica issue mostly impinges on US users – beyond its remit.
“We believe that there [were] less than 2,000 EU-based IP addresses among the 270,000 downloaders of the personality test,” said a spokesman for the data protection commissioner.
The Facebook controversy has sparked a debate over whether the Bill transposing new EU data laws into Irish law opens the door to the the kind of political data processing pushed by Cambridge Analytica via Facebook.
The data protection commissioner said that political data processing was already possible under existing legislation.
With new EU data protection rules applicable from the end of May across the bloc, the commissioner said the new data protection Bill – bedding the General Data Protection Regulation (GDPR) regulation into Irish law – “appears to bring … across” political data protection “but subject to safeguards”.
EU law
A leading EU data privacy advocate has warned that Ireland will be in breach of EU law if the Bill permits widespread political data processing.
German MEP Jan-Philip Albrecht says the GDPR he steered through the European Parliament prohibits any national laws allowing broad political opinion data dragnets.
“Such provisions would be void from May 25th, and it is not permissible for Irish officials to use them,” said Mr Albrecht, a Green MEP and data protection expert. “The EU regulation, as part of EU law, has priority over national law.”
Mr Albrecht said a “public interest” argument may apply for political parties and public bodies. Should the Irish Bill permit the collection and use of political preference data by businesses, however, it was likely this could be contested in the European courts.