In the wake of the recent Facebook data breach, we take a brief look at how the social media giants could become the poster company for how NOT to be in the new age of GDPR.
In 2014, the company Cambridge Analytica ran a survey that collected the data of over 200, 000 Facebook users – those users willingly gave their consent to the company to use their data. They were actively taking part in the survey. However, Facebook has various functions in place that can allow you to view the profile, and hence personal data, of friends of one specific user – and potentially even friends of friends, and so on. Those users did NOT provide their consent to be used in the survey, yet it still was.
The number of users’ that did not provide their consent that has been floating around is 50 million. But, looking at the average number of Facebook friends (as noted here: http://bigthink.com/praxis/do-you-have-too-many-facebook-friends) that number could be significantly higher.
So, take those 200,000 friends and the average 338 friends per user, a potential 67.6 million could have been obtained without express consent. (Even looking at the median number of Facebook friends (200) that number would still reach 40 million, so that 50 million seems to be a middle ground number).
Facebook has come under a lot of scrutiny for this breach of data, but it doesn’t just end there for them. Other issues they have with data privacy include: not providing users with suitable privacy control (i.e. there are only a few privacy settings to even choose from), the amount of data they hold can alone be problematic with DSARs such as the right to be forgotten or the right to suspend processing. Mark Zuckerberg has even been called into UK Parliament to address various data protection concerns and misleading information.
One good thing that has come of this is that users are taking action with a campaign to delete Facebook. Ironically this campaign is happening on social media platforms such as Twitter, which is also likely to be collecting personal data of users without consent.
This campaign does represent the power users and individuals will get over their personal data when GDPR comes into place. #DeleteFacebook won’t just be an idle threat, but if you request for your account, and personal data, to be deleted, the company must abide by your request, or face further consequences.
Read more on the story here: http://www.bbc.co.uk/news/technology-43465968