Facebook x Cambridge Analytica: What the scandal changes in the protection of personal data ?
A few weeks ago, a scandal revealed that millions of Facebook users’ data were retrieved by Cambridge Analytica, a British data analysis company, for political campaigning purposes and without users’ consent. 2.7 million European users are believed to be affected by these fraudulent personal data retrievals.
For many in Europe and the United States, this is an “unacceptable violation of citizens’ privacy rights“. Cambridge Analytica has nevertheless claimed to respect Facebook’s terms of use throughout its data collection process. This then raises the question of the protection of personal data on the Internet.
The possibilities of use of user data by companies
The personal data that you agree to give during the business relationship
During the various contacts that users have with companies on the Internet, the latter are led to leave personal data concerning them, sometimes consciously or without even knowing it.
For example, when creating a customer account, users are aware that they give names, first names, title, date of birth, addresses, or their telephone number … For e-commerce websites, they also give on this occasion their access codes and data on their means of payment but in an encrypted manner. Once the commercial relationship is launched, the company stores data relating to orders, conversations with the after-sales service and purchases made with its partners…
The data collected during a simple visit to a site
The company behind the visited site is able to collect personal data relating to connection and navigation, mostly through cookies. They store the following data:
- the identifiers of the equipment used (IP address of your computer, Android identifier, Apple identifier, etc.)
- the type of system used (Microsoft Windows, Apple Os…)
- the type and version of browser software used (Microsoft Internet Explorer, Apple Safari…)
- connection dates and times
- the address of the Internet page from which the information originated
- navigational data on services, content viewed
- the geolocation of the device can be collected.
This information can be reused for the purposes of optimizing the site and the personalized customer experience on said site.
Scripts (or tags), pixels and redirections can also be retrieved, directly via the Internet. They give personal data relating to the use of sites and applications, on the reading or not of e-mails, on clicks to the links contained in these e-mails … These data are collected by third party service providers for the purpose of reselling them.
Sensitive data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data relating to health or sexual orientation) may even be collected in some cases.
The use of personal data
This data is used initially for the distribution of products or services and then to improve the use of the websites. Then, they are used for the marketing operations of the site.
User data may also be passed on to the company’s customers, partners or subcontractors, social networks and the authorities. Normally, every company has a dedicated data security unit to protect this information from accidental or unlawful loss, unauthorized use, disclosure or access.
Future changes
According to the Model European Parliament, Europe needs stricter laws to prevent the fraudulent use of site user data, as it was the case with the millions of Facebook data used by Cambridge Analytica.
New privacy policies will be put in place to protect Internet users about the use of their sensitive data and the misuse of their general data. The quality of data recovered by companies should not be altered.
New laws at European level are being introduced. The General Data Protection Regulation (GDPR), voted in the wake of the Facebook scandal, which has been in force since 25 May, aims to strengthen the protection of personal data by making it mandatory for all platforms processing data of European citizens.
Some Swiss companies are also affected, because of their exchange with other interfaces in the European Union. As soon as your company exchanges data with elements in the European Union, you are subject to this regulation. Do not hesitate to contact us if you would like to know the situation of your company.
In case of violation, companies are liable to fines of up to 4% of their worldwide turnover if data is captured without explicit consent. This is the first time that a unified regulatory framework has been put in place on this subject at European level. Data Protection Office (DPO) or Data Protection Consultant (DPC) positions will be created. They will be key players in data protection within companies. The G29 strongly recommends that companies create these posts to ensure that data from the Internet is used properly.
