• by Sean Hargrave , Staff Writer, April 6, 2018

The announcement comes on the same day as the Culture Secretary, Matt Hancock, announces that he is to meet Facebook next year to ask what will be presumably be front of mind for Information Commissioner Elizabeth Denham -- how on earth did you manage to have a system through which more than a million Britons had their personal data leaked? While we're at it, how on earth could it have been misused by a political campaigning company hellbent on getting Trump into power? 

The same questions will be asked of Aggregate IQ, a Canadian company that appears to be under suspicion of similarly using Facebook data for political ends, including persuading the British public to vote to leave the EU.

Some hard questions will be asked, but it's worth remembering that the ICO has never fined anyone above GBP400,000 -- a place in the history books occupied by TalkTalk after its infamous data leak after a hack attack. The most it is allowed to fine under the Data Protection Act is GBP500,000. When you compare that to the €20m or 4% of global turnover the GDPR bring in from May 25th, the DPA looks particularly toothless, doesn't it. 

It's also a lot easier to see, under GDPR, how CA or Facebook could be fined. Sensitive data, such as political beliefs, cannot be processed without explicit consent. When I've looked at a couple of Facebook apps I've used, this permission is assumed in a pre-ticked consent box. Under GDPR, this is illegal. Only I can tick the box to give permission for any religious, trade union, political, health or sexuality data to be processed. 

However, what has been done to date is subject to the Data Protection Act, and it is not nearly so clear.

Ironically, both laws offer pretty much the same protections -- with the addition of data portability and sensitive personal data in GDRP. It's just that GDPR requires companies to be far more open and honest and up front about who they are, what data they're collecting and what they want to do with it.

The DPA kind of has this stance too, but it's not so up front. It allowed policies to be hidden away in privacy notices nobody ever reads. The GDPR brings all this to the fore, requiring consumers know what they are allowing to happen to their data. 

Nevertheless, the DPA does set out that companies need to inform users what they want to do with data, and that data to only be handled in a way that doesn't impact the member of the public and is in accordance with what they might reasonably expect.

Don't know about you -- but a test that tells me if I'm introverted or extroverted being used to provide access to my data, and that belonging to my friends and family, isn't the kind of fun quiz that I could expect to be used to get Donald Trump into power. 

For me, then, the DPA has been broken. Too much data was taken, its use was not made clear (even in far-off privacy notice)  and almost certainly without sufficient safeguards. The ICO are obviously the experts here, so we'll have to await their decision. 

The outcome is clear to me, however. Facebook will adhere to the rules it has recently set out for itself, which are effectively the steps it would need to take for GDPR compliance anyway. Permissions will be clearer, and less data will be taken from people, and most certainly not their details on friends and family. No sensitive data will be asked for -- and if it is, it can only be used with explicit permission. 

This, I reckon, will give everyone a face-saving moment. Zuckerberg will say "we've listened and learned," and the ICO will say they have intervened and Facebook has promised to change its ways.

It will only be a few cynics in digital marketing who will know that everything Facebook has offered to do is what it already had to undertake to be GDPR compliant. 

Facebook will face some more tough headlines and a couple of grillings but will just use GDPR compliance to get over the whole debacle and carry on swapping its users' data to offer target advertising that will continue to bring in billions of dollars of revenue per year.