These accusations, denied by Cambridge Analytica officials, caused Facebook to lose nearly 14 %s in a few days and triggered promises of all-out investigations on both sides of the Atlantic. Cambridge Analytica's London offices in London have also quickly searched.
The scandal goes to the heart of Facebook's business model, linked to the resale of users' personal data, particularly for advertising purposes. After remaining silent for several days, CEO Mark Zuckerberg finally admitted on Wednesday 21 March that he had seen some errors, as well as the responsibility of his company.
In France, the end of the law "Informatique et libertés" (Information Technology and Freedom)
This case is a perfect illustration of the importance of personal data protection issues, and the negative consequences, in terms of business or image, for any company that risks handling data without (obviously) being concerned about data protection rules. It comes at a time when, in Europe, and more particularly in France, a small revolution is taking place: the European general regulation on data protection (RGPD) replaces, as of May 25, 2018, the well-known law " Informatique et libertés " (" Data processing and liberties ") adopted more than 40 years ago in France.
What's different about the RGPD?
While the main principles of data protection remain largely unchanged, compliance management procedures have been completely overhauled, and the risks in the event of non-compliance (criminal sanctions, financial penalties from the Cnil and image risk) are significantly enhanced.
In a context of exponential development of technologies (predominance of algorithms, new connected objects, new uses of the Internet, etc.), the RGPD also aims to improve the protection of persons on file and the use of personal data by operators established in the "computer cloud" (cloud). These measures concern both American "GAFAMs" (Google, Apple, Facebook, Amazon and Microsoft), Asian tigers such as Tencent or service providers located in the Indian Ocean...
In particular, the DPMR aims to better protect European Internet users when their personal data are manipulated by operators established outside the European Union, as is the case with large US Internet operators (Facebook, Google, Microsoft, etc.). The exercise of the rights recognised by the current "Data Protection Act" is indeed difficult in the case of the Internet, in particular because of the question of the legal rules applicable according to the location of the data: these vary according to the location of the computer servers that host them.
As well as the noted the European Commission :
"Rapid technological developments and globalization are profoundly changing the way in which an ever-increasing volume of personal data is collected, accessed, used and transferred. New ways of sharing information via social networks and of storing large amounts of data remotely have become part of the habits of many of Europe's 250 million internet users. »
The problem of "data havens" is, moreover, an illustration of this fundamental contradiction with which computer law is confronted: while communication tools are, by their very nature, globalized, they are only governed by fragments of national regulations whose scope of application is, by their very nature, narrow, limited to a territory and a field of competence that is ordered and marked out.
Obliging non-European operators to comply with European data protection rules
The RGPD aims to overcome this difficulty. To do so, it reinforces the rights of the persons concerned. From now on, if data of individuals within the European Union are processed by a company or a processor established outside the Union, European law will apply when these activities are linked:
-
to the supply of goods or services to such individuals living in the Union, whether or not payment is required from such individuals. In this respect, the DPMR specifies that factors such as "the use of a language or currency customarily used in one or more Member States, with the possibility of ordering goods and services in that other language or the mention of customers or users within the Union" may indicate that the controller is considering offering goods or services to persons within the European Union;
-
the monitoring of the behaviour of these individuals, insofar as it takes place within the Union. In this respect, the DPMR states that this includes techniques for profiling a natural person "in particular for the purpose of making decisions about him or her or analysing or predicting his or her preferences, behaviour and attitudes", such as the "behavioural targeting" and "targeted advertising" schemes at issue in the Facebook case.
There is here a kind of "extraterritorial" effect of European law since the purpose of the PGRD is to compel non-European operators to comply with European data protection rules. Thanks to the PGR, the abusive practices alleged against Facebook could, if proven, lead to the application in France of particularly severe criminal (up to five years' imprisonment) or financial penalties. As of May 25, 2018, the CNIL will be able to impose financial penalties of up to 20 million euros or 4 % of a company's worldwide turnover.
A European justice system that is very vigilant with regard to private life
The Court of Justice of the European Union (CJEU) attaches great importance to the privacy of European citizens. In a judgment of 6 October 2015, known as the "Schrems" judgmentit has thus invalidated the Decision No 2000/520/EC of the European Commission, which found that the United States provided an adequate level of protection for personal data transferred from Europe. This decision, which allowed the application of the Safe Harbor Agreement between the United States and the European Union, made it possible for personal data to be transferred between EU and US companies. The agreement established a set of principles for the protection of personal data, to which companies established in the United States could voluntarily adhere in order to receive personal data from the European Union.
The Court of Justice held that this mechanism, which was intended to compensate for the inadequacy of US legislation on the protection of personal data in relation to European legislation, did not provide sufficient guarantees because of the possible interference by the US public authorities with the personal data thus transmitted and that it infringed the rights guaranteed by the European Charter of Fundamental Rights. Following the "Schrems" judgment, the Commission concluded in February 2016 a new agreement with the United States on the framework for transatlantic data transfers entitled "Privacy Shield". This is intended to be more protective, but questions remain as to whether there is a risk that this agreement will also be invalidated in the long term by the European courts.
European legislation and judges are therefore currently trying to strengthen the protection of European citizens. While the strengthening of legal rules is undeniable progress, it is not an end in itself, as there is often a major practical difficulty: how to ensure the effectiveness of the new rules if the foreign operator in question is not physically established on EU territory? How, in this case, can a search be carried out, a manager be questioned or a financial penalty be recovered?
Raising awareness among Internet users
Until the computerization of our societies, forgetting was a constraint of human memory. Since computerization, forgetting no longer exists. The capacities of computer memory are now such that the length of time an item of information is stored far exceeds the length of human life. This "all-knowing" of machines can thus potentially become a real virtual social booklet and, for some, a passport to exclusion.
In this context, the protection of privacy and personal data does not only depend on legal rules. It also requires technical solutions, such as the use of "privacy by design" Internet browsing tools (which make it possible to limit the traces of browsing) as well as the responsibility of Internet users and the application of certain rules of prudence. From now on, the major challenge may be to ensure greater awareness of all the players, especially users, especially the youngest ones. The aim is to encourage them to exercise greater moderation in the information they deliberately make public on the Internet.
Introduced four decades ago, the "Informatique et Libertés" regulation was designed to protect people against abusive filing by administrations or companies. Today, the question arises differently: how to protect users against themselves?
Guillaume Desgens-PasanauMagistrate, Associate Lecturer at the CNAM, National Conservatory of Arts and Crafts (CNAM)
The original text of this article was published on The Conversationeditorial partner of UP'.
Anything to add? Say it as a comment.