Recent media coverage of Cambridge Analytica and its relationship with Facebook may have resulted in the inadvertent conflation of two separate areas of regulation, the Data Protection Commissioner has told an Oireachtas committee.
Helen Dixon made the remarks while appearing before the Joint Committee on Communications, Climate Action and Environment on Tuesday.
“The issues of personal data processing on the one hand and electoral matters on the other are distinct and separate from each other and my office has no role in regulating the core aspects of electoral activity, including advertising and canvassing activities, other than where personal data is deployed,” Ms Dixon told the committee.
Ms Dixon said political microtargeting by advertisers was a particular form of microtargeting which used different methods of communications to interact with and attempt to influence prospective voters.
“Meanwhile, the objective of data protection law is to protect individuals, amongst other things, from the unfair processing of their personal data.
“A key aspect of this fundamental fairness of processing issue is about transparency for individuals as to what information is collected on them, how it is used and who it will be shared with, so that individuals are positioned in a way that means they can actually control the use of their personal data in a meaningful way, for example by opting not to provide information to a particular organisation in the first place.”
Ms Dixon said micro-targeting for political purposes was a potential technical subset of online behavioural advertising by social media platforms, apps, publishers and internet sites.
“The application of these techniques in Europe to process voter data are thought to be more difficult in part because of EU data protection laws.”
She said academics who study in this field were “not yet certain of what, if any, the significant real effects of political microtargeting through social media may be”.
It seemed that considerable research, evaluation and investigation would need to take place “before concrete conclusions can be drawn about the true risks and consequences of this type of personal data processing”.
The demand for greater control and greater transparency over how, and why, personal data was used, would be facilitated by the General Data Protection Regulation which becomes applicable across Europe on May 25th 2018.
Ms Dixon was questioned by committee members on why it had taken 18 months following an audit of Facebook by her office in 2011 and 2012 to shut down the feature that ultimately allowed Cambridge Analytica to inappropriately access the personal data of about 87 million people.
The commissioner said the audits looked at a range of issues and sought to resolve them. The office at the time had not believed allowing access by third parties to friend data was “proportionate”.
An “iterative process” was engaged in whereby Facebook had “asserted its legitimate interests to implement the feature in that way”.
It had not agreed with the recommendation and the commissioner’s office had “persisted with this iterative process”.
Ms Dixon said there were many ways to go about persuading a company to comply and one such way was the litigation route, which her office had taken in relation to the use of other transfer mechanisms used by Facebook to transfer data to the US, in the Schrems case.
But she said the life-cycle around litigation was “uncertain and also very lengthy”.
During the committee proceedings, Facebook announced it is to introduce a new feature ahead of the referendum on the Eighth Amendment that could reveal to individual users all ads that are being run by advertisers.
The feature, View Ads, is set for a global launch in June, but Facebook said it would add Ireland to the pilot programme from April 25th.