Facebook’s Mark Zuckerberg has broken his silence to comment on the unfolding Cambridge Analytica data scandal. He has announced steps his organisation will take to deal with the fallout that has resulted from Cambridge Analytica’s acquisition of the personal data of up to 50 million Facebook users.

As the hashtag #deleteFacebook gains momentum it remains to be seen whether Facebook’s actions will be enough to stem the slide in the company’s share price or to restore the credibility of the social media platform. But as we ready ourselves for GDPR, the Facebook/Cambridge Analytica debacle is sure to have repercussions for any company that holds personal data belonging to EU consumers.



We believe the Cambridge Analytica story makes GDPR compliance more critical than ever for three reasons:

  • The furore has propelled the subject of data protection to the forefront of the political and media agenda
  • The scandal will inevitably give individuals a much greater sense of their rights in relation to their personal data and how these can be enforced
  • Data commissioners across Europe, including our own Information Commissioner’s Office, will have renewed confidence to investigate and clamp down on any future data breaches with vigour

So for the type of small and medium-sized businesses Big Data Law advises, comprehensive GDPR compliance has just become more urgent than ever.



A whistleblower has described to various news outlets how Cambridge Analytica got hold of data belonging to 50 million Facebook users. It allegedly obtained the information from responses to a quiz app on Facebook (“thisismydigitallife”) set up by a company called Global Science Research (GSR). Only 270,000 people actually downloaded the app containing the quiz, but GSR was able to obtain the data of 50 million Facebook users. Why? At the time (2015), when an individual granted access to their data on Facebook this also gave the person seeking the data access to the data of that individual’s entire Facebook friend network.

The quiz was described as an experiment that scientists would use to build psychological profiles of respondents. The whistleblower claims however that the information was sold to Cambridge Analytica. And it used the data as the basis of voter modelling ahead of the 2016 US presidential election.

Both Facebook and Cambridge Analytica deny they have done anything illegal or untoward.



Cambridge Analytica is a British company so the ICO has become involved. The UK’s Information Commissioner has issued a Demand for Access to records and data in the hands of Cambridge Analytica. As the company has not responded, the Commissioner has applied to court for a warrant to enable access.

Although the original Facebook quiz targeted US individuals, if UK citizens responded or US respondees had friends in the UK whose data was harvested then the UK’s Data Protection Act (DPA) will kick in.


It’s likely that the Information Commissioner wants to find out whether UK consumers who answered the quiz understood what specifically the information they provided would be used for. For example if the quiz only referred to scientific research and not voter profiling there is likely to have been a breach of the DPA. In addition political views are likely to be regarded as ‘sensitive personal information’. Handling such information attracts much higher levels of security under the DPA than some other personal data.



The data harvesting that has led to the scandal occurred in 2015 – so in the UK the DPA applies, not GDPR. As we know the GDPR offers individuals much greater protection and control over their data. For example citizens can ask for information about them to be erased (the right to be forgotten). If the Cambridge Analytica data harvesting had been unearthed when GDPR was in force much heavier financial penalties would have been available to regulators than at present. Using information for a purpose other than the specific purpose for which it was obtained (which some commentators believe is the case here) could, under GDPR, result in a fine of €20 million or an amount equivalent to 4% of global turnover.


Perhaps one of the most alarming aspects of this story is that the data sharing that occurred was not strictly speaking a breach. There was no hacking or theft of information. And because of the amount of data involved, Facebook’s own internal systems flagged up the fact that so much data was being accessed. But this simply did not contravene Facebook policies at the time. (These have since changed.)

The furious reaction to this developing story means that the concept of data protection has been raised high in the public’s consciousness. Data compliance issues that were mainly of concern to businesses ahead of GDPR’s introduction are now firmly on the public’s radar. We anticipate a greater readiness by the public to enforce their data protection rights. Just as significant – as the commissioner’s pursuit of a warrant against Cambridge Analytica shows – is that regulators know they have teeth. They won’t be afraid to use them when it comes to enforcing GDPR.



To find out how we can help you prepare for GDPR call us on 0203 670 5540 or complete our online enquiry form.

Shubha Nath


Shuba provided excellent help in a very tough case, and acted above and beyond my expectations. With her friendliness, passion, and a wealth of knowledge, she made me feel comfortable in a trying time, and her professional services led to quick results in my case. I can highly recommend her services.

Cecilie Harris ***** See more reviews


Shubha Nath is director of Nath Solicitors, a boutique London law firm specialising in commercial contracts, company laws (formation/shareholder matters/M&A) and private and commercial dispute resolution.


When we state we partner with you to achieve results, it’s not just a slogan. Many of our solicitors have spent years working in the City, and we are passionate about business and helping our clients achieve their objectives.

See more on Nath Solicitors.co.uk

Shubha Nath