GDPR has got teeth. The US regulatory approach to privacy, by contrast, is all gums. And US Senators, based on their recent performance when they were supposed to be grilling Mark Zuckerberg, shows they while they may have teeth, they don’t seem to know how to use them. Never mind, it seems lawyers are taking this one into their own hands, two lawsuits against Facebook and Cambridge Analytica are being launched.
Question: what have anteaters and US privacy rules got in common? Answer, neither have any teeth.
Even so, anteaters can be highly effective at sucking up their prey, by contrast, the US regulator, and now it seems Senators, don’t seem to have a prayer of getting to grips with the Facebook and Cambridge Analytica affair.
In fact, so bad is the US approach to privacy, that post GDPR, coming into force on May 25th, members of the European Economic Area won’t even be allowed to export data to the US, including a cloud provider, unless that company has signed up to a voluntary system called the Privacy Shield - or in some cases other voluntary codes. And that’s a problem, because under GDPR, you are responsible for what a third party subcontractor does with your data. And if that contractor is based in the US, using US based computers, then when that company handles your data, even if it is doing so on your request, you are technically exporting data to it.
This means global privacy rules are out of kilter, while the EU takes a lead, and other countries such as Japan and Canada advance their own response, the US seems more like a personal data Wild West.
But maybe the solution lies with the private sector. Under US laws, your freedom is protected. The Federal Trade Commission, which exercises its powers under section five of the Federal Trade Act, can make judgements on privacy practices if they are seen as misleading and deceptive. But it’s not like GDPR, targeted specifically at personal data, and armed with powerful weapons including the ability to fine companies four per cent of turnover.
Now, the Hagens Berman law firm, based in Seattle, has filed a class action law suit against Facebook and Cambridge Analytica in the Northern District of California. The suit alleges that Facebook “stood idly by” as a “treasure trove of data” was transferred to Cambridge Analytica.
The law firm accused Facebook of “unjust enrichment and violation of privacy and consumer-protection laws when it permitted app developers and other third parties to exploit its lax to non-existent enforcement practices.”
Steve Berman, managing partner of Hagens Berman, said: “Facebook has repeatedly failed to uphold its own privacy agreements and policies, and it’s brazenly neglected the data security of the billions of those who use its social media service. Instead of choosing to be vigilant, making appropriate investments in data security and stopping this massive harvesting of users’ information by third parties, Facebook stood by as the private information of millions was funnelled into the hands of bad actors.”
Meanwhile, a separate law suit has been filed by US and UK lawyers, in the US District Court in Delaware against Facebook, Cambridge Analytica, and two other companies connected with the Facebook/Cambridge Analytica saga, including Global Science Research Limited, founded by Aleksandr Kogan, the Cambridge University lecturer who is at the centre of the data storm.
Robert Ruyak, co-lead counsel in the class action suit, said: “Facebook utterly failed in its duty and promise to secure the personal information of millions of its users, and, when aware that this stolen information was aimed against its owners, it failed to take appropriate action. Facebook must be held responsible for failing to protect its users' personal information."
It just goes to show, as privacy concerns become a major topic of discussion in the media, at dinner parties and indeed on social media channels such as Facebook, the fines that can be imposed by regulators enforcing GDPR may be the least of a company’s concerns regarding data privacy. But then GDPR also provides companies with a defence, if they can satisfy the heavily armed regulators across Europe, maybe they are safe, or at least safer, from law suits or indeed the kind of media attention that has led to around $80 billion knocked off the value of Facebook.
One thing is for sure, US Senators won’t do it. In their opportunity to grill Mark Zuckerberg, with just a handful of exceptions, the Senators came across as being totally out of their depth, asking questions that a quick Google search could have revealed the answer too.
Still, at least we now know that Facebook does not listen to our conversations. Sen. Gary Peters asked: “Yes or no, does Facebook use audio obtained from mobile devices to enrich personal information about users?” To which Zuckerberg replied “No.”
To ensure that your organisation addresses the privacy concerns of customers clients and employees attend the next GDPR Summit London on 23rd April. Speakers include, Jim Steven, Head of Data Breach Services, Experian, Gary Brown, GDPR UK Programme Director at Santander UK and Julia Porter, Board Director, DMA. For more information, visit the website.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/