Here is my take on the Facebook/Cambridge Analytica affair. I have no specialist inside knowledge or information but hopefully the blog can help focus the data protection debate on some of the issues (other than warrant delays and repeated claims by all parties that there is no data protection problem!). Please feel free to comment.
First to Dr Aleksandr Kogan. He is the academic employed at Cambridge University who first obtained the personal data for an academic research project undertaken by his company Global Science Research Ltd.
Global Science Research (GSR) Ltd is no longer trading and there is little in the press relating to how it originally obtained the personal data (other than a GSR form was completed). However, as Dr. Kogan is claiming that he is the scapegoat being hung out to dry by Cambridge Analytica (CA) and Facebook, hopefully he should be able to specify by what means he originally collected the personal data, what Facebook users were told at the time of collection and full details about the disclosure to CA. This will be a useful starting point.
Cambridge University as controller?
As an aside, I don’t think Cambridge University are in the clear. I am sure that if Dr. Kogan developed a new psychometric technique, Cambridge University would move swiftly to protect any Intellectual Property. If this is the position, the University cannot then claim that it is totally disinterested in the processing of personal data by Dr. Kogan’s company.
For instance, did Dr. Kogan’s credibility as a researcher and his personal data collection arise because he was employed by a prestigious University? Would Facebook users trust research undertaken by a Cambridge University don – but not perhaps research undertaken by a private company? Could some data subjects believe they were involved in a University research project? Did Cambridge University collect the personal data first and allow Dr. Kogan to use for his private company?
Although I don’t want to labour this point, I suspect the fall-out will include a set of rules governing the processing of personal data by academics for research purpose, and the degree of to which control is exercised by a University that pays their wages. Personally, I suspect Cambridge University could be a controller.
Consent of the data subject
So, let us assume that Global Science Research (Dr Kogan’s company) is the controller that collected the personal data of those who joined the research programme; this processing needs a ground for the processing which I assume is data subject consent. Such consent includes the identity of the data controller doing the processing.
However, personal data about Facebook friends were also obtained as part of the research project; these friends are also data subjects but they did not give consent directly to Dr. Kogan’s company. In this case, I suspect that the research could arguably be in the legitimate interest of the controller.
All personal data were subsequently disclosed to Cambridge Analytica (CA) who then used them to deliver assistance to the Trump Campaign. Disclosure is a processing operation, and I also assume that it would be argued that this processing would also rely on the same consent for data subjects who directly joined the research; however, this consent cannot cover the friends of Facebook users.
So, what was the nature of the “consent” given by all data subjects in this process – both those who signed up for the research and friends of those who signed up for the research? Does it cover CA’s processing purposes? How does the consent obtained by all parties compare with the statutory definition of consent found in Directive 95/46.EC:
'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
This is not a difficult comparison to make!
Fair processing notice
You will note that CA has obtained personal data from a Third Party (Global Science Research) and CA should have considered whether its obtaining is fair to data subjects who do not know about CA’s identity as a data controller. Additionally, do the friends of Facebook users know about the identity of CA as data controller?
So, are Facebook’s, CA and Global Science Research’s Fair Processing Notices adequate? This also should be a relatively simple establish. CA and Facebook, after all, have not gone out of business.
I suspect that the controllers involved have mistakenly conflated the grounds of the processing (consent in Schedule2) with the requirement to be fair (identity of the data controller) when these are separate obligations.
Finally, in this section, as Global Science Research disclosed to CA - this is “data sharing”. It should also be easy to establish to what extent Dr. Kogan, Facebook and CA took account of the statutory Code of Practice on data sharing.
Are Sensitive Personal Data processed by CA?
The processing of sensitive personal data is a new issue, mainly because not much sensitive personal data will have been disclosed by anyone.
The question is: if CA are processing “ordinary personal data” in order to deduce the data subject's political views (or to determine attributes that indicate the likely political views of a particular data subject) is CA processing sensitive personal data relating to politics. I think the answer is “yes”.
This is the answer the ICO came to when a £180,000 Monetary Penalty was applied to Chelsea and Westminster Hospital NHS Foundation Trust for using CC: instead of BCC: with an email distribution list. The personal data themselves are not sensitive personal data (e.g. the email distribution list) but the email was linked to an attachment containing HIV advice. The email thus revealed a HIV medical conditions of many on the emailed distribution list to everybody on the CC: list.
Following this approach, has CA processed non-sensitive personal data in a way that reveals the political views of data subjects; if so, this is also the processing of sensitive personal data. This means that any consent obtained by CA should be explicit consent. So has CA got “explicit consent”?
With respect to friends of Facebook users (who did not directly consent), what is the sensitive personal data grounds used by CA if it is not “explicit consent”? If there isn’t a legal basis, the processing should not have occurred.
I need to cover the issue that some might consider that the political views of the data subject have been manifestly made public by steps taken by the data subject (e.g. by posting stuff on Facebook). This might be true in some cases. However, I suspect that most sensitive personal data concerning politics have been revealed, not by the data subject, but by the deductive processing techniques employed by CA.
I suspect that CA do not have an explicit consent legal basis for processing sensitive personal data. For ordinary personal data, I am not sure that the data subject consent will be “specific” enough to meet the Directive’s definition of consent (especially for friends of Facebook users who did not directly consent to take part in the research project). In summary, I suspect there is no legal grounds for the processing that is currently in the news.
I also suspect that the Fair Processing Notices will not cover the identity of data controllers involved in the processing of the personal data of Facebook users and finally I suspect the statutory code of practice on data sharing has been studiously ignored.
This analysis does not limit itself to the political processing for the Trump Campaign; it applies to any CA processing any personal data revealing a data subject’s health, religion, race, politics etc. The Commissioner should thus look to CA’s current processing of personal data to see whether there are “repeats” especially as CA has a political campaigns division.
The only factor I am not sure about is the jurisdictional issues (e.g. if CA processed personal data, as a controller, via a USA subsidiary) but this does not matter if CA is currently processing personal data for current political campaigns.
Data Protection Courses (London)
- BCS Data Protection Bill/GDPR Practitioner Qualification: London starts 10 April https://www.amberhawk.com/StandardDP.asp
- Data Protection Bill UPDATE: London on 21 May https://www.amberhawk.com/bookevents3.asp
- BCS Data Protection Bill/GDPR Conversion Practitioner Qualification: London on April 17/18 https://www.amberhawk.com/ConversionDP.asp
Political parties have a vested interest also; see my blog on modern day election software https://amberhawk.typepad.com/amberhawk/2016/02/leave-or-stay-in-the-referendum-gdpr-has-to-be-implemented-by-the-uk-whatever-the-result.html.
Email lists for HIV patients are sensitive personal data: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/05/london-nhs-trust-fined-for-hiv-newsletter-data-breach/