Facebook’s PR nightmare following the recent Cambridge Analytica scandal shows no signs of abating. The EU Security Commissioner has just indicated that Brussels is prepared to regulate social media companies if they don’t quickly tackle head-on the mishandling of personal data that the Cambridge Analytica story appears to have exposed.
We have already discussed why the Facebook/Cambridge Analytica story matters in the context of GDPR. Crucially it has moved the whole issue of data protection to the top of the political and media agenda. Most of the commentary has centred on the issue of consent. But as we watch the story develop we think it also raises important points about another key data protection rule: the principle of purpose limitation.
WHAT IS PURPOSE LIMITATION?
Article 5(b) of the GDPR reaffirms the principle of the existing rules on purpose limitation. It also introduces a few minor additional safeguards for further processing of data for archiving, scientific, historical or statistical purposes.
The article states that personal data shall be:
“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”
So a company that handles personal data must be very clear about how it will use that data. GDPR is all about enabling data subjects to make informed choices. Data processors will no longer get away with vague terms and conditions of use or consent that is not explicit.
PURPOSE LIMITATION AND FACEBOOK
A lot has been written about Facebook and potential breaches of data protection laws. Of course so far nothing has been proved against the social media giant. But it’s certainly interesting to consider whether those Facebook users who downloaded the ‘thisismydigitallife’ app that is at the heart of the story knew what purpose their information was going to be used for.
Reports indicate that they understood the quiz was for psychological profiling. But did they realise the information they provided (through answers to the quiz) would be passed on to another company (Cambridge Analytica) and used for political purposes as is alleged?
GETTING READY FOR GDPR
Any company storing or processing information about EU citizens must be GDPR ready by 25 May 2018. When you obtain data you must do so clearly and explain the purpose for which you are going to process it. Of course it’s not unusual for companies in the possession of data to want to use it subsequently for a secondary reason. And there are ways to do this without falling foul of the regulations. For example, through pseudonymisation of data.
Big Data Law in London is a specialist team of data protection lawyers. We are currently offering a range of GDPR compliance packages in time for the implementation date. For more information please contact one of our solicitors on 0203 670 5540.