The first story we’ll be discussing is one involving Facebook, and Mark Zuckerberg. Recently, a new lawsuit has been filed against Zuckerberg by Attorney Karl A. Racine. Zuckerberg is being sued for directly taking part in decision-making that allowed the Cambridge Analytica data breach. The lawsuit also states that Facebook lied to users with regards to promises made around data protection and privacy. It is alleged that Zuckerberg facilitated the poor privacy agreements and lack of protection given to user data.

As a result of this, third-parties such as Cambridge Analytica were allowed to have access to the personal data of over 87 million Americans, which was then used to effect the 2016 election. A Racine has been quoted as saying:

“The evidence shows Mr. Zuckerberg was personally involved in Facebook’s failure to protect the privacy and data of its users leading directly to the Cambridge Analytica incident. This unprecedented security breach exposed tens of millions of Americans’ personal information, and Mr. Zuckerberg’s policies enabled a multi-year effort to mislead users about the extent of Facebook's wrongful conduct.”

The evidence that A Racine refers to involves hundreds of thousands of documents, hours of Mr Zuckerberg’s public statements, as well as his sworn testimony. In addition to this, evidence coming from the depositions of Facebook’s former employees, whistleblowers and directors have been looked at. The evidence supposedly brings about the conclusion that Zuckerberg failed to oversee a system that ensured data security and data protection, which allowed Cambridge Analytica, as well as other third parties to use the personal information and data of Facebook’s users.

The case involving Facebook’s inability to protect user data from Cambridge Analytica using it to influence the 2016 US election comes from the fact that in the run up to the 2016 election, a third party was allowed to launch an app through Facebook which posed itself as a personality quiz. This app, whilst collecting data from the user completing the quiz, also collected data from that user’s Facebook friends, without the knowledge or consent from them. The data that was collected was then sold by the app developers to Cambridge Analytica, who then used it to aid presidential campaigns and send out targeted advertisements to people based on their personality traits. This failure to protect user data, according to OAG, is one of various examples of Facebook misleading users and failing to uphold the data privacy regulations they are required to follow. It’s important to note that under the US’ Consumer Protection Procedures Act, an individual is responsible for a company’s actions should it be found that the individuals knew about, controlled, or failed to stop the company’s actions. Therefore, Zuckerberg would be liable for Facebook’s violation of consumer privacy laws.

ICO Fines Clearview over £7.5 million

The ICO has recently handed a fine to Clearview AI Inc- an amount totalling over £7.5 million (£7,552,800 to be exact). The breach that Clearview have committed is over their use of images of people inside and outside of the UK, collected from the internet and social media in particular to create a global online database that could be used for facial recognition. In addition to the fine, the Information Commissioner’s Office has ordered the company to to stop collecting data from UK residents that is available online, and to delete the data it currently holds on UK residents. A joint investigation was carried out with the Office of the Australian Information Commissioner where Clearview’s use of images, data scraping from the internet and the use of biometric data for facial recognition was looked at. 

Shockingly, Clearview had amassed over 20 billion images of people from various web platforms that were available publicly. Clearview didn’t inform anyone about the use of their image to create this database, and no consent was obtained. The database that Clearview had created was then used in an app that allowed anyone to upload an image, which would then be compared to everyone else on the database. In addition to this, the app would show people images of people who had similar features to the person in the image they upload, as well as links to the location that the app found the images. Now, even though Clearview no longer offers their services in the UK, they still operate in other countries, meaning that they were still using the images they had collected of UK residents, without their consent.

John Edwards, the UK Information Commissioner, had the following to say with regards to the Clearview fine:

“Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

The ICO has stated the following ways in which Clearview Inc have breached UK data protection laws:

• failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
• failing to have a lawful reason for collecting people’s information;
• failing to have a process in place to stop the data being retained indefinitely;
• failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
• asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.