May 24, 2018
You’ve probably seen messages like this filling your inbox and social media apps of late. What is it all about, and why should we be concerned?
Every time you post a photograph or a story on Facebook or Instagram, you leave a trail of personal information online, about you, your family and friends, what you like, where you travel, work, eat, and more. This intelligence is valuable to advertisers, who are the main source of income for companies like Facebook and Google. But as the data is about you, social media firms should seek your consent before sending it to someone else. This has become all the more sensitive since political advertisers have become involved, potentially affecting election and referendum outcomes.
To understand how serious all of this is, think back to the Facebook data-handling debacle that dominated the news in March and April 2018. The affair led to several questions about privacy in today’s rather open online world.
It exposed some of the unseen ways a person’s data can be mishandled and exchanged across the internet, without their knowledge or permission. Remarkably, it took as long as three years before some 87 million Facebook users discovered that their own data had been acquired by a consultancy firm, Cambridge Analytica, for use in political campaigns. Unlike in previous cases concerning Uber and Yahoo, in which hackers had reportedly stolen data, this was a normal commercial transaction involving data that had been compiled using an online quiz posted on Facebook called “This is your digital life”.
But it was not a transaction those millions of Facebook users necessarily wanted. This not only rekindled a heated policy debate on personal data protection and privacy online, but touched a nerve that runs through the heart of today’s economy: How trustworthy is our digital world, and how regulated do we need, or want, the internet to be?
The timing of the Facebook issue could hardly have been more poignant, erupting just weeks before the EU’s new General Data Protection Regulation (GDPR) comes into force on 25 May.
The regulation, which replaces a 1995 directive, aims to harmonise data protection laws throughout the EU and bring some coherence to the tangle of different national laws that have grown over the years. The GDPR’s spirit and much of its detail reflect the OECD privacy framework that was developed three decades ago and revised in 2013, notably upholding the importance of openness and promoting respect for privacy as a fundamental condition for the free flow of personal data across borders.