The year 2018 shook the world when a data company scandal made it crystal clear that masses of people can be manipulated online into voting for a candidate to make him win even when thepre-election polls and statistics suggest unfavoured conditions. The infamous Cambridge Analytica case revealed how regime change can be brought about with unethical breach and grave abuse of technology laws. Data is the new oil and a powerful weapon that can be used in geopolitics. This article takes a look at the scandal case that initiated the process for the world to realize of how menacingly yet effortlessly their rights related to data protection and privacy can be violated, and that too without bringing it to their notice.
Facts and background of the case :
In 2016, following the declaration of Donald Trump’s win in the USA presidential elections, a data company based in London, UK namely Cambridge Analytica announced to the world that it had played a crucial role in Trump’s win. What followed the announcement was deep research and enquiry into how the company operated, and subsequently, the unveiling of a scandal that only affirmed that data is the new oil. Data-driven communication company Cambridge Analytica had garnered personal details and information from nearly 87 million Facebook users through an external app in 2015. The data was collected from a personality quiz, “This Is Your Digital Life”, and around 270,000 people were paid to take the quiz. When the users undertook the quiz, it enabled the technical algorithms of company to pile up data about the friends, relatives, personal choices, residential details and other personal intricate characteristic traits of the user. What made this illegal was the fact thatall of this was done without the consent of the users. This data was used, as revealed by the company’s former employee, to manipulate users into voting for Trump by controlling their attention and daily social media diet. Before the 2016 elections, the company was also accused of involved in Brexit campaign as well. All of this was unknown until Christopher Wylie, A former Cambridge Analytica employee disclosed this in an interview.
It began with Mr. David Carroll – a media design Professor at the Parsons School of Design in New York. In 2017, his intrigue about whether Cambridge Analytica held any of his personal data for their ulterior projects in an unethical manner led him to file a Subject Access Request (“SAR”) to Cambridge Analytica’s parent company – the SCL group limited. On not receiving a legitimate explicit response from them he further instructed solicitors to write “a letter before action” outlining a claim for compensation for distress caused by breach of the Data Protection Act 1998, for tortious misuse of private information, and for breach of confidence. 
With substantial concerns about the hidden agendas of the company and investigative interest, United Kingdom’s Information Commission Office, in March 2018 raided the offices of Cambridge Analytica and found enormous amount of evidence with severs and books and other material. Eventually in November 2018 the ICO considered that Cambridge Analytica had resorted to serious breaches of data protection principles.
With company’s employee Christopher Wylierevealing details about unlawful use of data without the consent of users, it was established that law had been broken and a formal lawsuit was filed against the company. Legal action was also initiated against Facebook because it had breached the data protections law by failing to keep user’s private data secure. Both the entities were said to have violated certain provisions of Data Protection Act, 1998. Charges were filed on Facebook in several countries namely United Stated of America, Canada, India and United Kingdom. In the testimony before the Congress, the founder of Facebook- Mark Zuckerberg indirectly admitted of being aware about the part that Facebookplayed in this process.
How does the Data protection Act 1998 United Kingdom protect data?
Section 1 of the act Data Protection Act 1998elucidates the term personal data in following manner: Personal data is the data relating to a living individual who can be identified
•from that data; or
•from that data plus other information that was in the possession, or likely to come into the possession, of the data controller. (Sensitive personal data concerned the subject’s race, ethnicity, politics, religion, trade union status, health, sexual history, or criminal record.
It is essential to note that this Act applied only to data which was held, or was intended to be held, on computers, meaning online technology equipment,or an online filing system. The main protection against violation of data related rights is given to citizens via eight principles that form the core part of this Act. Theeight data protection principles, prescribed in the first schedule of the act, to which all data companies must adhere. Following are the highlights of these principles in brief :
1.Personal data shall be processed fairly and lawfully. This is the foremost and necessary condition.
2.Restrictions on use of personal data: Personal data can be obtained only for specified and lawful purposes. However, it cannot be processes for any purpose that is inconsistent and unrelated with the main purpose.
3.Nature of data in context of purpose: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4.Characteristic:Personal data shall be accurate and updated if and when necessary.
5.Time restrictions on use of such data: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6.Processing of data and individual rights: Processing of personal data shall be in consistency with the rights of data subjects (individuals).
7.Legal action: In case of misuse and destruction of data, legal action can be initiated.
8.Transferring of data: Personal data shall not be transferred to a country in Europe unless that country adheres to similar ethics of data protection.
With a brief overview of eight principles, it is clear hoe Cambridge Analytica violated the essential ethical components of data protection.
Are there any conditions to process the data?
The conditions for processing of data are given in the second schedule of the act.In order for data to be classed as ‘fairly processed’, at least one of these following six conditions had to be applicable to that data :
1.The data subject (the person whose data is stored) has consented to the processing. Cambridge Analytica violated this condition.
2.For contractual performance and obligations.
3.For legal needs mentioned in a contract.
4.Protection of the user whose data is being stored and processed.
5.Performance of public functions.
6.Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject).
CA and Facebook neither took the consent of users nor were they made aware of legitimate interest of company to look into their personal information. It is crucial to understand that the processing of data should not consist of conflict of interest of the user.
How does the act define ‘consent’?
The definition of consent is maintained by European Data Protection Directive. It defines consent asany freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. However, data companies cannot interpret non-communication as consent. The consent must be explicit. The Act provides a few exceptions such as national security, criminal proceedings and taxation and domestic purposes in Part IV.
What is the ‘Right of Access’ and ‘Subject Access Requests?’
The Information Commissioner’s Office in United Kingdom plays a key role in enabling process for a ‘subject access request.’ Right of access is the right of users of social media and any otherindividuals to find out if an organisation is using or storing their personal data. This can be exercised by asking for a copy of the data, and the process of asking for a copy is commonly known as making a ‘subject access request. Right to Access is an enforceable right in nature. However, requester has to satisfy the condition of ‘legitimate interest’ to get such access.
Verdict and penalties:
Both Cambridge Analytica and Facebook were found guilty under Data Protection Act 1998 and USA Federal Trade Commission’s charges for having harvested the personal data of 87 million users without their consent. Facebook paid a record-breaking $5 billion penalty, the largest amount any tech company has paid to settle, and promised to implement better structures to hold the company accountable for the decisions it makes about its users’ privacy.
What does the future hold?
The movie Social Dilemma prescribes an alarming line to the viewers. “If you are not paying for the product then you are the product. It’s the gradual, slight, imperceptible change in your own behaviour and perception that is the product.”Data companies hold a powerful position in today’s date and time. For they are indispensable, because the very deeply rooted presence of social media platforms makes them thrive. The Cambridge Analytica Case uncovered the urgent need of data privacy laws that must be airtight for the protection of data and privacy rights of billions of people who have a social media presence. With digital economy taking over a gigantic share in trades and markets, liberty and privacy rights will often find themselves at roadblocks. The only way to adhere to ethical digital standards is rock-solid enactment of stricter technology legislation. As detrimental as this scandal was, it also paved the way for nations to put restrictions on leeway offered to giant tech companies.
This blog is authored by Gargi Choudhari, a student of Savitribai Phule Pune University.
6. Ibid 4
7. Ibid 4
8. Ibid 4