Member’s Login

Forgot Password  |  Create an account

Facebook Data Breach in the Times of GDPR

Posted By - Muqbil Ahmar, Executive Editor

In what could be termed as one of the biggest data breaches ever globally, the personal information of more than 50 million Facebook users was harvested for political gains by a company called Cambridge Analytica. The data analytics firm worked for the US President Donald Trump’s election campaign and exploited the data to woo millions of US voters. It further used the data to build a powerful software program to predict as well as influence choices at the ballot box. This has raised several questions about the ethics of such an information diversion.

“The Facebook - Cambridge Analytica incident has made the common person aware of what really happens with her personal data. It has served to highlight the fact that data is being used for purposes beyond her control without telling her about it and shared with people she never imagined it would be shared with. She is finally realizing how each of her actions online are being recorded, tracked and analyzed - and are being used to manipulate her thoughts and opinions & predict her behavior. She is probably realizing to what extent algorithms have seeped into our lives and taking decisions impacting her. It is finally dawning in her that personal data can really impact her basic rights,” says Shivangi Nadkarni, CEO - Arrka Consulting.

“Someone rightly said that if you are not paying for the product you are the product. What happened has been a common practice where user data is collected for various purposes and later used or sold for a price.  Be it a search engine that shows ads of an item that you were recently researching or an application that provides you with suggestions for future connections on the basis of your preferences. At the core, it is the permissions that are granted to applications when we install them. We hardly ever care for the consequences that can possibly arise on account of permissions granted. I would not be exaggerating if I say that even today all of us will have applications on our devices that have unlimited access to our data and contacts,” says Kalpesh Doshi, Senior Director and CISO APAC Capgemini.

As a result of Facebook's data breach, the company lost a mind-boggling $6.06 billion worth of investor wealth even as the world’s biggest networking platform witnessed the biggest single-day decline since 2014. The social media giant’s shares have dropped significantly and continue to be in a free fall. Shares are currently down 10.4 percent.

“Recent events are an indication of how far the entities push the boundaries of ethics and regulations to gain supremacy in surveillance economy,” says Gupta Boda, Chief Technology Advisor at NABARD - National Bank for Agriculture and Rural Development.

Facebook data incident in the post-GDPR scenario

With the General Data Protection Regulation (GDPR) coming into effect barely two months from now, the Facebook breach should be a lesson to every business of the real risks that could come under the new legislation. Private entities such as Facebook will come under its purview after it is implemented and could attract financial penalties running into billions.

“These are realities that the folks who work in privacy function have known and have been striving to address in different ways. These are realities that cannot be addressed at organizational level. These are issues that need to be treated by laws and regulations. The Supreme Court judgement on privacy as a fundamental right has greatly helped in driving some of this in India. The Data Protection Law in the pipeline should hopefully address these issues. The GDPR is a regulation that has taken the realities discussed above into account. Only time will tell how it pans out and how it impacts the world. And whether the cost of compliance expected will result in negative impacts on businesses or not,” adds Shivangi Nadkarni.

“In the current scenario, as I understand, Facebook is a private organization and has no obligation to report data breaches. However, if we were to bring Facebook under the GDPR scheme of things, Facebook would have to necessarily report such data breach and run a risk of being “named and shamed” publicly. Also considering such a breach violates / impacts the right and freedom of individuals, Facebook may even need to report about the breach to each and every such individual directly, which would seriously impact the organization’s reputation. This is prior to the Information Commissioner’s Office (ICO) reviewing the case for further fines applicable under GDPR to be levied. The main question posing a major challenge in such investigations is how to arrive at this being a data breach and who would be held liable in such an event - Facebook, Analytics firms, or Ad Tech firms?” questions Dilip Panjawani, Head - Chief Information Security Officer & IT Controller at Larsen & Toubro Infotech Ltd.

In fact, there is a significant increase in fines which could go up from the current maximum of £500,000 to €20m or 4% of the global turnover if higher. Facebook’s annual revenue for the 12 months to 31 December 2017 was around $40bn. A maximum fine could be as high as $1.6bn or €1.3 bn.

“This is more than just a GDPR breach. This is a breach of ethics and morals. Sadly, it will continue. The fact is that the companies like Facebook and Google thrive on us and our emotions. This is an ethical problem more than a moral or a legal one. If no one used Facebook, it would have collapsed. It thrives on manipulation of human emotions. I see Mark Zuckerberg’s apology as a master stroke. Pure genius! It is not an apology for what Facebook does. It is an apology for allowing third parties to use Facebook. Now, only Facebook can legally manipulate all of us,” says Amar Singh, global cyber security and privacy thought leader.

“Somehow, a sense of my personal data does not remain anymore. After seeing the latest updates from Mark Zuckerberg and his colleagues, a few more questions come to mind. In some of the latest statements Facebook has mentioned that it will enforce strict rules to audit its app vendors, which is good in a way. But who holds the responsibility of auditing Facebook or any false doing by them? It also said that the app developers/applications will not get access to the user data. This is a highly controversial statement according to me, simply because 80% of the apps on Facebook makes money with the user data ‘it mines’ through their apps. That’s how Facebook makes money too. I am skeptical about such a move, as they are putting barbed gates to their own revenue. It is clear in the current case itself, since Facebook knew about this data breach for a long time but continued to retain Cambridge Analytica as its customer simply because they were a customer of Facebook. It’s only after the public news that Facebook pulled the plug on Cambridge Analytica,” says Sujith Kumar, Director Solutions at Getronics.

Related Tags - GDPR, Facebook, data analytics, data breach, CISO

Subscribe to our newsletter for all the latest updates and special offers.

Click Here To view archive additions

Older Entries

Monday, April 14th, 2014 02:55:00 PM Heartbleed - Bruce Schneier, CTO
Sunday, April 27th, 2014 09:10:00 AM Heartbleed FAQs - Richard Henderson, Security Strategist FortiGuard Labs
View All