In mid-March the shocking story about Cambridge Analytica (CA)’s sophisticated hacking of Facebook’s data portability system hit the news. There was huge media outrage and given Facebook’s large user base, millions of people could identify with the victims of CA’s data robbery. Taking a closer look at the case, the hacking turns out to be just the tip of the iceberg when it comes to problems related to CA’s data business that sends a chill down the spine: manipulation of UK and US voters, security flaws, circumvention of election laws and the complete dismantling of users’ online privacy.

A multi-actor issue – who is to blame?

Before embarking on an exploration of the legal dimensions of the case, one important question to answer is: who committed the wrongdoing? Looking for those most likely to be blamed, Cambridge Analytica and their executives are first in line. Recent reporting indicates that the company was using personal data in an unethical and illegal manner to serve their illegitimate (and possibly unlawful) business goals.

Facebook was a key source of data that was fed into the CA algorithm to make better predictions on voters’ behaviour. The social media giant is now trying to play the role of a scapegoat and contends that the theft of data happened without their knowledge or authorization, in other words that they have been deceived. But Facebook fails to acknowledge that poor security oversights and fluid access policies makes them just as guilty as anyone else in this story.

Political campaign teams who hired CA to work for them were surprisingly quiet in the public debate. But given the huge sums of money that they paid to CA before the vote, it is hard to believe they did not have a full understanding of what the company was able to do for them. Regardless of the actual effects of CA’s work, the involvement and accountability by the campaigners should not be swept under the rug. In the UK, the data shows that the campaign teams, who did not hesitate to spend up to half of their whole budget to pay for CA’s analytical services, bypassed election laws by coordinated international money transfers. This illegal muddling of financial flows is what eventually placed them in the spotlight. It will be interesting to see how the story will evolve.

Finally, it has been argued that users should be the ones to condemn. I both agree and disagree. In the CA saga, not only users’ data but also their friends’ data was misappropriated. Those friends had no means of protecting themselves, nor were they aware of what was going on. Requesting a more proactive response from those users would go too far in my view. Users should only be held responsible for their data as long as the platforms give them viable options to exercise such control.

What seems more plausible is to point the finger at the policy-makers. They are the ones that should be more reactive and responsive to data threats. In fact, some authorities have already felt pressure to act. Some more successful attempts are the upcoming EU General Data Protection, the proposal for the Honest Ads Act in the US and the EU Member States’ guidelines on using personal data for political advertising. But talking about consequences has never been popular on social media or in the online context in general. In addition, the damage has already been done and the proposals are lagging behind before they have even been adopted.

A multi-level issue: what legal measures to trigger?

The array of potential wrongdoers (as well as victims) has triggered individual and collective legal actions on multiple levels. These reactions have been anything but coordinated, yet their multi-polarity is telling. When problems get multi-level, the legal response cannot be singular.

To better understand the conundrum of legal issues in the case, this blog provides a short analysis of the legal actions that have been triggered in the last couple of days. The focus is on the EU but the US will be mentioned as well to illustrate that the legal responses on the two sides are, to a large extent, analogous.

• Protection of personal data

Following the media outburst, privacy watchdogs were the early respondents. On March 17, the UK Information Commissioner (ICO) revealed that they had launched an investigation of the CA data processing practices. After several unsuccessful attempts to enter CA’s premises and conduct investigations, the ICO decided to request a warrant and get access to data on the basis of a court decision instead of CA’s voluntary approval. The Court granted the warrant after being convinced of the likelihood of violations of the provisions of the UK Data Protection Act, in particular of the principle of fair and lawful processing of data. Lawful processing of data relates to the question of legal basis such as consent or contract that justifies the use of data. Fairness of processing is a more open term, typically linked to transparency of processing and the possibility of individuals to oppose the processing. The data mining carried out by Cambridge Analytica was not only opaque and gave no feasible option to users to express their objection, it also failed to provide an adequate legal basis.

On similar grounds, Cook County filed a civil lawsuit in California against both Facebook and CA asserting deception, violations of privacy and demanding an injunction. Reportedly, more lawsuits have been filed against Facebook in Californian courts over the last few days. One of them was brought to court by a woman seeking class-action status due to improper data collection.

• Security of data

Interestingly, the warrant to ICO was partially granted on the basis of the claim that CA failed to take appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In other words, ICO claimed that CA had committed a breach of security of data. However, it was Facebook that failed to control access and use of data. This is also clear from the recent announcement by the US FTC which initiated an investigation of Facebook’s privacy practices. In the US, a data breach encompasses both breaches of the security of the system as well as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. The definition of a data breach under EU law comes close: A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there is a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. Of course, under EU law the violation of privacy principles itself can give rise to legal action but a data breach claim adds another dimension as it emphasizes the need for better technical protection and monitoring of the systems.

Although the data breach law has traditionally been focused on technical breaches, in the light of these recent events it might be the right time to change the approach and extend the definition to (negligently or intentionally) unauthorized access to data. In particular, data security could be a useful point to build a case for the US authorities as the US data protection rules are often limited or non-existent. But more focus on security would also be useful in the EU. In 2017, the EU agency for network and information security (ENISA) already saw trouble coming when it referred to suspicious uses of data by CA in the US 2016 election campaign, pointing out the danger of illegal data analytics due to limited cyber threat capabilities. The demand for a more rigorous approach by Facebook also came from the German minister Katarina Barley, requesting the company to implement some concrete security solutions.

• Data access request

The CA and Facebook story triggered individuals to start exercising their data subject rights under data protection law. In 2017, Professor Carroll, a US citizen, filed a request to Cambridge Analytica to access his data. The request was successful, but Carroll alleged that the data firm did not fully disclose how it arrived at their predictions. Now he is suing the company to hand over all the data that they have on him as well as the source of this data. He hopes that after the lawsuit he will finally be able to access the full set of data that the company holds on him and figure out how his voting behaviour was influenced.

• Commercial lawsuits

From a commercial point of view, Facebook investors have decided to sue the company as its value decreased sharply after the revelations and users started leaving. According to their allegations, Facebook "made materially false and misleading statements" about the company's policies, and was covering up the fact that third parties got access to data on millions of people without their knowledge. The deceiving statements of the company executives misguided investors and contributed to their financial losses. The Court is still to decide on this matter.

• Criminal law aspects

It looks like the Facebook and CA saga will go beyond the boundaries of civil law actions. In an interview for Wired, M. Zuckerberg hinted that a criminal investigation of CA was about to follow. Under the UK DPA, misuses of personal data may in some cases lead to a criminal offence. Some suggested that criminal action may also be brought against a UK pro-Brexit campaign team due to illegal financial funding of the data-driven political advertising.

• Political measures

Representing the interests of EU citizens, the European Justice Commissioner Vera Jourova wrote to Facebook executive Sheryl Sandberg, asking about the extent to which data on EU citizens has been affected. Similar questions were raised by her German colleague. The UK House of Commons has invited Zuckerberg to London to testify but the social media’s founder has refused to visit. Instead, he promised to send two of his deputies. Zuckerberg, however, agreed to testify in front of the US Congress.

Conclusions

There are two key points to learn from the case. First, protecting personal data in the digital era takes much more than formalistic compliance. It requires on-going internal monitoring, business sacrifices and closely involved authorities. Second, as problems get multi-level, the legal response cannot be idiosyncratic. Rather, the bunch of potentially harmful effects of using data for the manipulation of voters proves the need for joint action by multiple authorities including data protection, competition and consumer protection authorities. Marsden and Brown argue for the so-called prosumer law – a regulation of digital platforms through mechanisms that draw on solutions from multiple legal areas. The CA & Facebook case is an excellent example to demonstrate how this approach could be useful. However, implementation could be challenging. Prosumer regulation requires proactive and cooperative data (protection, security, dominance) watchdogs involved not only at a national but also an international level.