:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/ELLKQQY7C4MNHCZ3CIS3XWVWNA.jpg)
Anyone who believed the Cambridge Analytica/Facebook story had run its course found otherwise with this week's further disquieting disclosures. On Wednesday, Facebook admitted that the number of users whose data was improperly shared with Cambridge Analytica was more likely to be 87 million, not 50 million.
The reason so many could be affected is that the yourdigitallife quiz app also took data from the Facebook friends of the person who installed it. Facebook said that while 97 per cent of those who used the app were Americans, as many as 45,000 Irish people may have had their data shared with Cambridge Analytica. Then, Facebook's chief operating officer Sheryl Sandberg disclosed that the company had disabled a feature that could have allowed the public data of Facebook's two billion users be collected by malicious users.
Such data was, she said, “public” anyway. But, as with so many of these revelations, the average Facebook user worldwide was unlikely to have understood or shared this view of what “public” means. Sandberg’s comment bypasses the fact that such data also has specific EU privacy protections. Any third-party may not scrape data without notification or consent. Facebook’s failure to protect its European users from such activity runs contrary to the principles of EU data law.
The same applies to Irish and other EU victims of Cambridge Analytica's data gathering. The friends of those who installed the app were never notified. And the app should not have had this capability in 2013. On the basis of Austrian Max Schrems's complaint to the Irish Office of the Data Protection Commissioner (ODPC) about how Facebook managed his data – which highlighted such undisclosed, nonconsensual third-party access – the ODPC audited Facebook twice by 2012 and identified this problem. But Facebook only removed third-party access in 2014. Had the ODPC used its enforcement powers, Cambridge Analytica would never have had the opportunity to do what they did in 2013.
:quality(70)/d2j5ip5u6h2g6o.cloudfront.net/10-20-2021/t_6d05728fea0b4be8a2caee4d9bf1061c_name_1795463433001_5761487833001_5761479926001_.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/L4JHPCMSTOSFY3PYX4TWWC5TWI.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/5NJJVZ6Y4DLIOUMF7BS3NFH55I.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/H63HNZXUCJA4LLBYTPNRRN7DMM.jpg)
Facebook as a corporate entity must also be held to better account. Certainly, the viability of Mark Zuckerberg, its chief executive and chairman, and of the board, must be scrutinised. Under Zuckerberg's leadership, the company has suffered from a wide range of chronically unaddressed data privacy and data misuse problems that he and Facebook often initially underplayed.
Board members should have provided the oversight that ensured known problems were systematically dealt with. But the chairman of the board is Mark Zuckerberg, a problematic conjoining of chief executive and chairmanship roles that is widely considered poor governance. All of which signals little is likely to change at a company that has failed to seriously address data privacy concerns for years.