Facebook Data leak and EU GDPR

Binosh ALex Bruce
Apple intends to supplant Intel Chips in Macs with its custom CPUs
April 26, 2018
GDPR in Malayalam
ഫേസ്‌ബുക് വിവര ചോർച്ചയും പിന്നെ ജീ . ഡീ . പീ .ആറും
May 1, 2018
Share this with your friends

When we immerse in social media without any discipline, we turn ourselves into a mere commodity to an extend where we feel the need to show every bit of our life to the world. Has it ever occurred to you the issues that follows from tagging all the places you visit, or the pictures you take, or the live videos of where and when and how you are, and the feeling of being a celebrity when a 100 people watch you as you show your personal details of your life. Have you ever thought of what is it that drives a person to feel the need to be admired by random people, that they would commoditize themselves to a point where it could be unsafe for them? If we are one of those people who asks these questions to ourselves, then we are those few who are aware of those threats that these instances have on us. Several recent incidents and news have shed light on the extend of these threats.

Cambridge Analytica and Facebook

A few months ago, a very prominent Radio FM jockey made a live video about social media and the extent to which it compromises our privacy. The video went viral and had a view of more than 1.5 million within a week. She quoted me in the video about something I insist on saying repeatedly to make people aware of the depth of the issue of overuse of social media. A lot of people are more concerned about their phones and technology than about food and cloths among the growing population in India, and yet they do not have the capability to use it wisely. We handle applications with such irresponsibility that we give consent to these applications (for example applications such as: “Find who you were in your last birth”, “Find who is in love with you secretly”, “Find how long will you live”) to access, store and use our personal details as they see fit. None of these things that they claim that their application does is true, which we know and yet we indulge in it for the fun of it without thinking of the vast implications it can have.

What did Cambridge Analytica do?

What can be understood from what New York Times posted was that the personal details of Facebook users, their friends details, their likes, their place of residence and the such were all included in what was leaked.

How did Cambridge Analytica acquire those details?

In 2014 a few researchers who were working alongside CA conducted a survey on Facebook and made users download an application alongside the survey. This application collected the personal details and monitored the activities of those users. The technology was not initially competent to work with Cambridge University’s application but Professor Aleksandr Kogan, a Cambridge University professor, developed an application on his own and combined it with the technology that the university has in June 2014 to collect data for CA from Facebook. He collected about 50 million user’s raw data and handed it over to CA out of which only 270000 gave consent to use their data.

How was the data used? Could they be used in such a way?

From the details collected by CA, those people who did not have any affiliation towards any candidates in the former US election were sorted out and were shown constant negative news about Hillary Clinton thus swinging the election in favour of Donald Trump. This is known as vote swing.

This is a serious issue when we consider that the terms and conditions of Facebook clearly states that those details that are collected for research could not be used for any other purposes other than that, but it was found in this incident that CA used it for financial gains.

How can these leaks be stopped? How can we gain more control of our personal data?

Even countries which are not as big or big a player in different world forums give much importance to their citizens privacy. The biggest example is Singapore – for when the allegations regarding CA became known, the Minister of Home Affairs in Singapore Mr. K. Shanmugam called Facebook’s Asia-Pacific policy director Mr. Simon Milner before their select committee for questioning. India is a much bigger country and we supposedly have a very powerful prime minister, but when it came to be known that the details of our citizens could have been compromised the least that could have been done was what Singapore did.

What is GDPR?

The personal data of individuals within the European Union will be protected by the enforcement of the General Data Protection Regulation from 25 May 2018. It was adopted by the union on 27 April 2016, but every country was given a two-year transition period for enforcing this regulation which is automatically binding for every member of the union.

What is the influence of GDPR?

GDPR is not only binding to those companies that operates in the European Union, but also to those who gives any kind of services within the union or use any data from within the union. This gives a huge security for user data within the union and if data is used without consent then those will be held accountable. That is the kind of capacity we need to envision the future in regard to our citizens data protection.

What is personal data?

The details regarding a person or a group of people such as their name, photo, email, bank details, income details, social media details, their old or new IP address are all personal data. This means that it will become as serious issue if a photo that belongs to a person within the European Union is downloaded and used for something without their consent.

The scope and requirements of GDPR-

There are about 6 articles that are important when we try to understand what GDPR is.

  1. Breach Notification:


According to GDPR, all European Union states should have compulsory breach notifications. Data breach is considered as a serious privacy breach of an individual, so as soon as there has been a data breach- especially if it concerns the privacy of individuals, the states are required to send out notifications within 72 hours. The organisation, or application, or anyone who handles the data should let the customer as well as the data controller know of such a breach.

  1. Right to Access:

The individual whose data is being used will have the right to access the details of who, how and why his data is being used. The controller will also be able to check up on a timely basis whether the data is being used for what it was meant to be used.

  1. Right to Erasure:

The individual will have the right to decide on the erasure of his personal details according to this article. Once the individual requests the data controller for his details to be deleted, all the applications or organisations that acquired rights to use the data will have to adhere to it, thus giving the individual more control over his personal details and its usage.

  1. Data Portability:

The data can be transmitted between controllers, but only with prior consent of the individual whose details are the ones that is being used.

  1. Privacy by design:

The article 23 of GDPR pertains to data minimisation. To understand more about data minimisation, it is important to understand how some applications works on our phone. For example, when we try to download our prime minister’s Narendra Modi app it asks for permission to access our details and photos, and every other file in our phone. In case if you rejected the permission to access those files, the application will not install in your phone. The application is not clear as to what other files it needs to access. It is not necessary to give access to so much data for running the application, unless the developers are trying to invade into the privacy of the individual by forcing our hand to give them permission to access everything if we want to install the application. This would be a crime according to Article 23 in EU, and any organisation or applications that collects user data would be forced to collect only the required data for the purpose.

The data that we share with each other through different medias can be collected and used in any way at the moment in our country. Most of the applications we use collects more than the required data, and the importance of the need for a law such as GDPR is understood when we consider how big data trends will be the future of businesses. Our data will be used for business purposes without our consent unless a law such as GDPR is introduced in our country.

Data Protection Officers:

According to the data protection directive, the controller lets a local data protection officer know about the details of the data that is being processed. This is a huge issue when it comes to multi national companies that operates in different parts of the union. The local rules are different which made it complicated and the new law intends to bring it all under the same umbrella. By 25 May 2018, the role of a data protection officer will be of utmost importance. They will play an important role in giving guidance to companies on how data should be handled, and audits being conducted to make sure that everyone who handles data adheres to the law.


Serious infringements of the GDPR can result in fines up to 4% of a company’s global revenue, or up to €20 Million.

Leave a Reply

Your email address will not be published. Required fields are marked *