Privacy issue becomes biz risk for Facebook

San Francisco/Frankfurt: Facebook faces substantial business risks from new European Union privacy rules set to take effect in May, a looming reality that came into stark relief over the weekend with revelations that a controversial political consulting firm had improperly obtained personal data on 50 million Facebook users.

Privacy experts said the disclosure that a researcher had sold Facebook data collected via a personality quiz to the consulting firm Cambridge Analytica is a prime example of the kinds of practices that the new General Data Protection Regulation, or GDPR, is supposed to prevent or punish.

The danger faced by Facebook going forward is two-fold: Complying with the rules means letting European users opt out of the highly targeted online ads that have made Facebook a money machine. Violating GDPR mandates could subject the company to fines of up to 4 per cent of annual revenues.

Had the Cambridge Analytica incident happened after GDPR becomes law on May 25, it “would have cost Facebook 4 per cent of their global revenue”, said Austrian privacy campaigner and Facebook critic Max Schrems. Because a UK company was involved and because at least some of the people whose data was misused were almost certainly European, GDPR would have applied.

Shares in Facebook fell on Monday by 7 per cent, their biggest drop since 2014, wiping nearly $40 billion off the value of the firm founded in 2004 by Mark Zuckerberg.

Mr Schrems first raised concerns in 2011 about how easy it would be for third-party apps to harvest data from the unwitting friends of Facebook users.

Facebook says it has tightened its controls on such practices since it discovered the alleged abuses by Cambridge Analytica in 2015.

Schrems has founded a non-profit, called None Of Your Business (NOYB), that is hiring lawyers and exploring avenues for “strategic litigation” over GDPR privacy violations.

According to whistleblower Christopher Wylie, who formerly worked with Cambridge Analytica, the consulting firm used the data to help then-U.S. presidential candidate Donald Trump to predict and influence choices at the ballot box.

“The fact of the matter is that Facebook lost control of the data and wasn’t adequately monitoring what third-parties were doing,” said Scott Vernick, a partner and an expert in privacy and data security at the Philadelphia law firm Fox Rothschild.

Mr Vernick said the maximum GDPR fine could come into play in an incident like this because of the number of users affected and what appears to have been inadequate monitoring of third-party data practices.

Facebook said it changed its policies in 2014 to “to give much less data, especially about friends,” Facebook VP Andrew Bosworth said in a Facebook post on Monday.

“We conduct a robust review to identify potential policy violations and to assess whether the app has a legitimate use for the data,” the company said on Monday. “We actually reject a significant number of apps through this process.”