• by Sean Hargrave , Staff Writer, March 21, 2018

It is becoming a little clearer how Cambridge Analytica got access to millions of Facebook profiles. It simply used a psychological app to tell people what they're like and then harvested the data. This is where, in some cases, GDPR is poised to help us take back control.

The creator of the app in question claims he is being used as a scapegoat. However, it's a little too late to say CA provided the paperwork and said it was legal to harvest millions of Facebook profiles and then say you had no idea they were, erm, harvesting data. 

The point is that we're all to blame -- not to so much for telling Facebook too much about ourselves, which we all do, but also spurious apps that pop up on our screens to test our knowledge and to rate us in some way.

I try my best to avoid them because they are clearly data-gathering traps, which just take up too much time. However, I went to "settings" and then "apps" on Facebook today and there were a couple of dozen apps that had access to everything I have up on Facebook.

Believe me -- I try to avoid signing in with Facebook and avoid the "which soap star are you?" or "take our personality test" apps. Nevertheless, over the years, I must have clicked "yes" for a few apps. This despite me always refusing to click the "spy on my friends and groups" consent button that pops up whenever you try to do anything that offers a test result or claims to speed up log in.

All I can say is -- go to Facebook, clicking on "settings" and then "apps," and you will likely find dozens of apps that are harvesting your data as well as using your profile to get data on friends. 

So I'm starting to wonder just where the illegality comes in with the data CA used to try to steer Trump in to the White House -- and presumably, influence the Brexit vote, perhaps?

The app in question would have had the right to gather all that data -- it must have been the transfer to CA without the users' permissions that makes the whole deal illegal? Nevertheless, it raises the question: what if there is no need to share the data? What if there are people who own these personality test apps who are ones with bad intentions? They have all the data they need. We gave it to them. And all to find out if which character in Friends we resemble most or see where we fall on the "introvert or extrovert" test. 

Getting back to permissions, here is the really spooky part. When you click "ok" to carry on with whatever it is you want to do, you're giving access not just to your profile and email address but also to your list of friends. That's pretty invasive, in my book.

But here's where it becomes really intrusive. A few of the apps on my list are tracking my religious and political views as well as the groups or pages I like.

Can anyone here see a GDPR bear trap opening right up for Facebook and these apps it allows to scour around gathering our personal information? I can. Let me explain very briefly.

A lot of companies quite legally claim direct marketing to be a "legitimate interest" under GDPR. They want to market, it does us no real harm, so they will carry on.

However, GDPR is very clear on sensitive data. It can only be processed with unambiguous and informed permission from the person involved. Religion is one of those areas selected as being sensitive, as are political views, union activity, sexual orientation and the like. 

I removed a bunch of apps from my Facebook list, but I have kept a couple aside that have automatically assumed the right to process my religious and political beliefs as well as the pages I like. The beliefs are undeniably sensitive data, and there could well be sensitive data in the groups or page I have liked -- particularly if they represent my sexual orientation, my health or union activity. 

You can probably guess the next bit. May 26th -- the day after GDPR becomes law -- guess who will get reported to the ICO for processing sensitive data without my permission that could only have been achieved through repermissioning me?

The brands involved will claim that I said "yes" at some stage to selling them a kidney to find out which Star Wars character I most resemble or easy log-in from any device. However, they are on thin ice that's melting. Permission under GDPR must be granular and must be informed and freely given. 

Withholding access to an app unless permission is given means that it is, by definition not freely given. By bunching in a whole set of assumptions and pre-ticking a load of boxes you only discover after an investigation in the "settings" menu, is very much not granular or representative of permission given for each use. Do you get the drift? Nothing in this represents permission under GDPR's revised definition.

Nor do any of these tactics come anywhere near having achieved granular, informed consent to processing each form of sensitive personal data.

So we have ourselves to blame for having inadvertently given away too much. We have all done it. On May 26th, the day after GDPR becomes law, we get to fight back. Are you in?