On June 25, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs in association with the Committee on Industry, Research and Energy, the Committee on Constitutional Affairs and the Committee on Legal Affairs held the second hearing on the Facebook/Cambridge Analytica case.
The hearing focused on consumer trust in Facebook’s activities, the security aspects of the company and its compliance with data protection rules. The Silicon Valley giant was represented by several of its senior executives, including one of its privacy policy director and its VP for global public policy. In other words, members of the Parliament discussed the consequences and impact of the Facebook-Cambridge Analytica data privacy breaches with experts and Facebook representatives. The following sums up the most important aspects of the event.
Since both Facebook (FB) and Cambridge Analytica (CA) are registered in the UK, the UK data protection authority (UK DPA - ICO) is investigating the case. If found foul of the data protection rules, fines can go up to 4% of the culprit company’s global sales. Report by the ICO is expected in July 2018. Facebook underlined that CA was running ads on it but did not get information on EU citizens. They did however get an aggregate pack of information on their ads like other advertisers on the websites of FB.
In general, it can be said that now that the GDPR is being applied by national data protection agencies, GDPR compliance is necessary, not only is good marketing. Currently, as was stated by the Austrian DPA’s head, there are already 30 cross-border cases, but more are to come this summer. These cases are communicated between the authorities in Europe, under the auspices of the European Data Protection Board (EDPB). This institution replaced the Article 29 Working Group last month. The EPBD will also follow the developments on e-Privacy (the legislative proposal is currently being negotiated in the Parliament and the Council of Ministers). The DPA’s head also emphasized that it is unlikely that FB’s problems disappear because of its apparent mesmerizing and unclear answers in ongoing investigations (U.S. Senate, U.K. ICO).
The participants also stressed that GDPR is now a global trend. The Wall Street Journal is hosting an event whether the U.S. should adopt GDPR-like legislation. This shows that he EU data protection rules – though they may differ as to the grounds for such regulation given that online privacy is a fundamental right in the European Union – are gaining serious attention worldwide.
When it comes to data collection and management, the members of the European Parliament (MEPs) and the representatives stressed that nobody can process personal data if consent is not given freely. Though there might be other grounds for data processing, when this is the chosen ground, consent must be given freely by the data owners. The national DPAs are seeking for showcase opportunities, and citizens are encouraged to signal wrongdoings to them.
The third hearing, to be held on 2 July 2018, will focus on possible solutions, EU policies that could remedy the negative consequences and prevent these incidents from happening again. Facebook COO Sheryl Sandberg, and a couple of European Commissioners have also been invited to the hearing.
What can companies in the Silicon Valley learn from this?
If you are a company that is collecting, treating, handling, “trespassing” data that originates in the European Union, you have several obligations under the General Data Protection Regulation: stricter and more transparent data processing, responsibilities, system-level security upgrade and communication responsibilities towards consumers and regulators. It is not only your reputation that is at stake, but a 2-4% of your annual global income if found afoul of the law. Also, to note that there is, generally, no “European Body” that will contact you in case of inquiry. It will be the national regulators to conduct investigations, which now have direct enforcement powers and are hungry to test those powers. This may split your effort when conducting business in the EU.
Comments