*UPDATE: This story has been updated on Wednesday (21 March) to include a statement from Andrea Jelinek, the chair of the umbrella group of EU data protection authorities*
Privacy regulators across the EU should join together to investigate allegations that London-based firm Cambridge Analytica illegally analysed millions of Facebook users’ data, the EU’s top data protection watchdog has said.
National authorities from across the EU should form a joint taskforce to determine whether the social media giant and Cambridge Analytica broke the bloc’s strict data protection laws.
“None of us may succeed alone. A joint action is needed,” Giovanni Buttarelli, the EU data protection supervisor, told reporters on Tuesday (20 March).
His comments dialled up growing pressure from outraged European politicians to crack down on Facebook and Cambridge Analytica over the allegations of massive data harvesting.
Data protection regulators can investigate legal breaches in their own member states and can coordinate their inquiries to share information if more than one authority investigates the same case.
On Wednesday (21 March), Andrea Jelinek, the chair of the article 29 working party, the umbrella group of national data protection authorities from EU member states, said the organisation is working together to investigate the incident. The UK authority is leading the group’s inquiry.
“As a rule personal data cannot be used without full transparency on how it is used and with whom it is shared. This is therefore a very serious allegation with far-reaching consequences for data protection rights of individuals and the democratic process. ICO, the UK ́s data protection authority, is conducting the investigation into this matter. As Chair of the Article 29 Working Party, I fully support their investigation. The members of the Article 29 Working Party will work together in this process,” Jelinek said.
The UK data protection authority ICO opened an investigation last year into how data analytics companies were used in the leadup to the Brexit referendum, after reports first circulated about Cambridge Analytica’s analysis of Facebook profiles for political clients. On Monday, the regulator’s office said it would look into new evidence, referring to the reports about Facebook’s knowledge of the data use.
Buttarelli said on Tuesday that allegations about Cambridge Analytica using 50 million Facebook users’ profile data to influence political campaigns “could be the scandal of the century”.
Media reports on Saturday (17 March) about Facebook’s knowledge of an app that collected data from the social media platform and fed it back to Cambridge Analytica in 2016 might just be “the tip of the iceberg,” Buttarelli warned.
The New York Times and the Observer reported over the weekend that millions of Facebook users’ profiles were analysed for political campaigns without their consent, and that Facebook knew of the data harvesting but did not inform its users.
Buttarelli said the allegations posed “an extremely important test for all of us”, referring to the national privacy watchdogs from EU countries.
Cambridge Analytica’s clients included Donald Trump’s presidential campaign and the Leave.EU campaign in the 2016 Brexit referendum, according to the newspapers. The company has denied that it abused Facebook’s user terms to collect the data without informing users. Facebook said over the weekend that it had suspended Cambridge Analytica’s account.
“We are not here to alarm you but the problem is real and huge,” Buttarelli said.
He said the national authorities spoke to each other over the phone and by email after the latest reports broke about Cambridge Analytica and Facebook.
The regulators have started to work together more over the last few years, particularly in their actions after data breaches affecting large tech companies that operate across the bloc.
Last autumn, privacy authorities from seven EU countries banded together to investigate a breach that exposed personal data from millions of users of the ride-sharing app Uber.
The watchdogs do not currently have the power to conduct EU-wide inquiries if they suspect a company has broken the law in multiple member states. They can voluntarily agree to create special taskforces, like in the case of the Uber investigation, if more than one regulator is investigating the same case.
But that will change when a stricter new EU data protection regulation comes into effect in May that will give regulators more muscle and the ability to impose much higher sanctions of up to €20 million, or 4% of a firm’s global turnover.
A group of multiple European authorities would be better positioned to investigate whether the incident broke EU law because Facebook’s business model and use of features such as the ‘like’ button or fan pages to track user data are the same in every country, Buttarelli said.
“The way in which the system works is global and there is no exception. There is no national approach,” Buttarelli told reporters.
Facebook’s European headquarters is in Ireland. On Tuesday, the Irish data protection commissioner said in a statement that she is “following up with Facebook Ireland in relation to what forms of active oversight of app developers and third parties that utilise their platform is in place”.
A European Commission spokesman said on Monday that the EU executive urged national data protection watchdogs to open an “EU-wide investigation”.
Vera Jourova, the EU’s Justice Commissioner, called the allegations “horrifying”.
She flew to Washington on Monday and will discuss the Facebook data case in meetings this week with Trump administration officials, her spokesman said. She will also meet with Facebook representatives.
European Parliament President Antonio Tajani said on Tuesday that he had invited Facebook CEO Mark Zuckerberg to a hearing in the house. The Parliament does not have the authority to sanction firms over breaches of EU data protection law. The UK Parliament has also summoned Zuckerberg to give evidence to MPs.
We’ve invited Mark Zuckerberg to the European Parliament. Facebook needs to clarify before the representatives of 500 million Europeans that personal data is not being used to manipulate democracy.
— Antonio Tajani (@EP_President) March 20, 2018