INFO5301 Data Privacy and General Data Protection Regulation
a privacy breach: the profiles of 50 million Facebook users were being used by Cam-
bridge Analytica, a British firm specializing in using personal data for highly targeted,
highly personalized political ads. And Facebook failed to inform those 50 million users
of the breach. That was failure number 3.
2.3 If GDPR was applicable in the U.S and as of 2016, according to GDPR Chapter 2, Art.
5 and Art. 6, how Facebook and Cambridge Analytica violated the principles "Princi-
ples relating to processing of personal data" and "Lawfulness of processing" when using
personal information of Facebook users?
Answer:
Principle "Principles relating to processing of personal data": personal data shall be col-
lected for specified, explicit and legitimate purposes. In fact: Facebook users’ data was
collected (Facebook users who used the quiz app ’thisisyourdigitiallife’ and their friends)
for in-legitimate purposes.
Principle "Lawfulness of processing": at least the data subject has given consent to the pro-
cessing of his or her personal data for one or more specific purposes.
In fact: Cambridge Analytica used this data for their business purposes that was believed
to influence/affect the Brexit referendum and the 2016 U.S. presidential election WITHOUT
the data subject consent.
2.4 If GDPR was applicable in the U.S and as of 2016, according to GDPR Chapter 3:
"Rights of the data subject", list possible users’ rights that Facebook failed to protect
in the scandal of Facebook users personal data being collected and used by Cambridge
Analytica and explain why?
Answer:
Art 13. Information to be provided where personal data are collected from the data subject.
• The identity and the contact details of the controller and, where applicable, of the con-
troller’s representative. In this scandal: Facebook gave access for the app thisisyour-
digitiallife to be able to collect information of the quiz taker’s friends. The quiz takers
and their friends was not informed that their data are collected.
• The recipients or categories of recipients of the personal data: in this scandal Facebook
users and their friends were not aware that their data collected by quiz app is then
shared with the Cambridge Analytica.
Art 17. Right to erasure (‘right to be forgotten’): the personal data have been unlawfully pro-
cessed. When Facebook became aware of that the data of Facebook users had been provided
to Cambridge Analytica, it did not ensure that CA had destroyed the user data files.
Art 18. Right to restriction of processing: the processing is unlawful and the data subject
opposes the erasure of the personal data and requests the restriction of their use instead.
Facebook users data is processed by Cambridge Analytica without their consent.
2.5 What Facebook could have done to prevent the incident?
Answer:
Information Security Management Page 5of 6