Identity Blog

The Facebook-Cambridge Analytica Meltdown: Why GDPR is the Solution

Did you hear about the Facebook Data Breach? Actually it wasn’t a data breach. According to the reports, the personal information of over 50 million Facebook users was freely provided and then handed over to a third party without permission  – is that scarier?

What Happened

In a nutshell, what happened is that a social engineering company (Cambridge Analytica) needed data to prove their models that were designed to influence people during election cycles. They hired a third party – Dr. Aleksandr Kogan a professor in the UK. Dr Kogan developed a Facebook app “thisisyourdigitallife”. The app asked some personal questions to collect personal data to build psychographic profiles of those people to predict their political leanings.

All sounds harmless except for the scary parts. Although only about 270,000 people took the survey, the New York Times reports, Dr Kogan was able to obtain data on 50 million users. This was done by scraping information about the friends and connections of those users! So if you had never taken the survey or given consent for your information to be used – your data was still taken! Based on the privacy rules of Facebook at the time, this was permissible.

What was not allowed was for this data to be sold to a third party. After having claimed to be using the data for academic purposes, Dr Kogan actually sold it to Cambridge for commercial use. This is the basis for the data breach – the unauthorized use of Facebook users personal information for commercial use by a third party. After initially claiming ignorance, then denying there was a breach, Facebook eventually admitted a breach and is finally taking action. Good to get those barn doors closed after the horses are gone.

What Consumers Can Do

This is not just a Facebook issue though. There are other platforms like Facebook that are collecting vast amounts of personal information about consumers and then leveraging that data to generate revenue. Consumers often assume that these organizations are also obligated to protect and secure our privacy. This is not always the case and actually has not been happening. Data breaches are happening with greater frequency and wider impact.

What is the Consumer to do in this case? How can he/she protect their personal data online? As our world moves further and further online – shopping, banking, insurance, education, employment – it’s no longer feasible to not participate. There are several things that can be done:

1. Consumers need to demand protection through government regulation like the GDPR

2. Consumers need to raise their own awareness online and protect themselves

Regulations like the GDPR (General Data Protection Regulation) are designed to protect customers from situations like the Facebook data breach. Key elements of the GDPR that do this include:

1. Consent – Consent must be collected for each use of the customers personal data. In addition, that consent must be explicit and recorded and the customers has the right to withdraw that consent at any time.

2. The Right to Data Access – Customers must be able to access their data at any time. They have the right to be provided with information about all personal data stored by the applicable businesses. Customers have the right to obtain information as to whether their data is being processed for the purposes for which it was collected.

3. The Right to be Forgotten – Customers can request any large service provider in the world (who has any connection with the EU whatsoever which is everyone) to obliterate their data forever and they must oblige. Or the customer can request their data to be handed to them in a “portable” format that they can take with them.

Taking Responsibility

Consumers also need to take some level of responsibility for protecting their own privacy online. Technology can be overwhelming and for most people the online world is overwhelming and confusing. Who reads those lengthy terms and conditions of use presented when you sign up anyway? Most people don’t. So what can you do?

1. Limit the amount of personal data you share online. This is not just things like your name, age, address and contact information but other things we don’t think about. Did you know every time you click “Like” on Facebook it’s recorded and added to your profile and shared with Facebook partners? If you don’t want third parties to know this information then limit this type of activity.

2. Actively manage your privacy, preferences and permissions settings.


A lot of online platforms that allow third-party apps, ask you to permit access to things like your data, notifications, camera/microphone. The best approach is to assume a state of “Zero-Trust” and say no. Now some apps won’t work without that access but you can decide later if you want access to those features.


It’s always a good idea to review what your privacy and preference settings are, especially if it was done some time ago. In the case of Facebook, this is constantly reviewing and limiting what 3rd party apps have access to. In a separate blog post, we show you how to do this. I actually decided to do this myself as I’ve never reviewed this setting on my own Facebook account. I found over 30 Third-party apps that were using my data that had never heard of!

Digital Transformation is changing and moving more of our lives online. While it would be nice to assume that the organizations we deal with online will do the right thing and protect our privacy, that is not the business they’re in. It’s up to consumers to become more aware and more active in protecting their own privacy. The GDPR is a step in the right direction which is why consumers outside of the EU need to demand similar protections. Identity management solutions provide features that match GDPR protections such as consent, data access and the right to be forgotten. Start demanding those types of protections from your online providers.   

Related Posts