The global storm over allegations that more than 50 million Facebook users had their online data collected without their knowledge is pushing privacy watchdogs from the fringes of law enforcement into the political fray.
On both sides of the Atlantic, data protection authorities are under fresh pressure to enforce existing privacy rules and better police the digital space. But they face nagging doubts over whether they have the resources, clout and willpower to regulate tech giants like Facebook.
These questions are bound to dominate a two-day get-together of data protection authorities that starts in Washington on Tuesday. Gathered for the first time since Zuckerberg pledged to “fix” his company and took out full-page ads in British and U.S. newspapers to promise change, privacy chiefs are expected to discuss where they fell short on data protection and how they might restore trust with the public.
Amid the clamor for answers about how London-based Cambridge Analytica could have accessed peoples Facebook data and potentially used it to influence the 2016 presidential election in the U.S., the national privacy regulators will be watched closely for how well they can enforce existing rules. The pressure will only grow when the EU unveils a revamped set of privacy rules at the end of May — rules that have become the de facto global standard.
Critics worry if U.S. and U.K. agencies have the power — or will — to limit companies mass trawling of personal data.
“The Cambridge Analytica case shows the importance of having a strong data protection authority,” said Christopher Kuner, co-chair of the Brussels Privacy Hub at the Vrije Universiteit Brussel. “But its an unanswered question whether theyre up to the task.”
British and US investigations
Since the revelations last week, U.S. and British privacy agencies opened new investigations or extended existing ones into Cambridge Analyticas use of peoples Facebook data.
The U.S. Federal Trade Commission, which oversees the countrys data protection standards, said it is investigating whether Facebook failed to uphold a 2011 decision that ordered the company to receive peoples express permission before sharing their data with third-party developers.
In Britain, the Information Commissioners Office, the countrys watchdog, said it would include the most recent Facebook data accusations in its ongoing investigation into the potential misuse of individuals digital information in political campaigns. The tech giant said it had complied with all privacy legislation. Cambridge Analytica denies any wrongdoing.
“With big data, cloud computing and analytics, old-fashioned data collection has shifted significantly and maybe without taking voters with it,” Elizabeth Denham, the British privacy chief, told a U.K. parliamentary committee earlier this year. “More data is available to political parties, but its unclear how they can use it.”
Facebook said people could choose to share their information through third-party apps | Daniel Leal-Olivas/AFP via Getty Images
Yet despite the tough talk, critics worry if either agency has the power — or will — to limit companies mass trawling of personal data.
The British regulator initially failed to receive a warrant to search Cambridge Analyticas premises. It only succeeded after taking its pleas to a U.K. judge and waiting for days. The ICO — although one of the best resourced privacy agencies in Europe — has only 10 people working on its investigation and has seen a slew of its officials jump ship to the private sector over the last 12 months.
The FTC similarly is going through a major overhaul with four new commissioners still awaiting confirmation by the U.S. Senate.
Any investigation will likely be politically sensitive because the privacy allegations relate to Donald Trumps 2016 presidential campaign. And others question if the countrys data protection rules — often ad hoc legislation focused on specific industries like health care or financial services — are robust enough for the 21st century, where peoples online data has become a lucrative and tradable commodity.
“The FTC clearly failed to do a good job in protecting peoples privacy,” said Marc Rotenburg, president of the Electronic Privacy Information Center, a consumer rights organization in Washington, which filed the initial U.S. complaint against Facebooks data collection practices in 2009. “The U.S. has done a terrible job in updating its privacy laws.”
Role of Irelands regulator
Also under close scrutiny will be Irelands privacy authority, which oversees the data use of Facebooks non-North American users, or roughly 1.9 billion people, because the social networking giant has its international headquarters there.
The latest allegations focus on why Facebook allowed a third-party app connected with Cambridge Analytica to collect reams of peoples private information, even if those individuals had not downloaded the app themselves.
Such questions are not new.
Max Schrems, an Austrian law student who spent most of the last decade filing legal challenges against Facebooks data collection practices, made similar claims in a 2011 lawsuit filed to the Irish Data Protection Commissioner, the countrys privacy regulator. In that case, Schrems questioned why individuals online information was easily accessible to app developers using Facebooks digital platform, among other complaints.
“The history of Facebooks platform is one of ever greater privacy protections for people who used third-party apps” — Facebook spokeswoman Sally Aldous
“It doesnt make me very happy,” Schrems said. “We could have stopped this from happening in the first place.”
In response, Irelands data protection agency said it conducted two audits on Facebooks data collection practices, including demands that the company overhaul its privacy settings to give people greater control over how their data is shared with third-party apps.
“Following these discussions that took place between ourselves and Facebook, they did implement their platform upgrade,” said Graham Doyle, head of communications at the agency. “Because of that change, the stuff that happened with Cambridge Analytica could not happen today,” he said.
Facebook said people could choose to share their information through third-party apps, and following the Irish regulators audits, the company changed its privacy standards to restrict how peoples online information could be shared beyond the social networks own services.
“The history of Facebooks platform is one of ever greater privacy protections for people who used third-party apps,” Facebook spokeswoman Sally Aldous said.
Prepared for GDPR?
The publics growing awareness of privacy will gain even greater traction when Europes General Data Protection Regulation, or GDPR, takes effect May 25.
These rules give the regions regulators the ability to issue fines of up to €20 million or 4 percent of companies revenues, whichever is greater, if they run afoul of Europes data protection standards — rules that are already some of the toughest anywhere in the world.
Coupled with these new powers, according to privacy experts, will come greater scrutiny of these officials, who are often unknown beyond policymaking circles. That includes companies likely robust and lengthy legal challenges to privacy investigations because of the potential hefty fines that may come under Europes new privacy rules.
“They will have to prepare for a lot more pushback from organizations that they are investigating,” said Ot van Daalen, a privacy expert at the University of Amsterdam. “The stakes will be a lot higher.”
Facebook CEO Mark Zuckerberg in Menlo Park, California | Josh Edelson/AFP via Getty Images
To prepare, many agencies have more financial resources — including the tripling of authorities yearly budgets — to hire new staff needed to cover the extra work, including handling an expected increase in data breaches, or the unauthorized disclosure of peoples personal data, about which companies will have to tell regulators about within 72 hours.
With companies also gearing up for the new privacy changes, many agencies, particularly from smaller EU countries, are struggling to find enough privacy professionals to meet their regulatory needs. And with roughly two-thirds of Europeans still believing they dont have enough control over their data, regulators acknowledge they have an uphill challenge in making complex data protection rules accessible to the general public.
“GDPR provides an opportunity to make the public more aware of their rights,” Steve Wood, deputy commissioner at Britains privacy agency, said earlier this year. “We need to make sure they feel that theyre in control over their data.”