Facebook’s approach to its users’ privacy came under fire in March 2018 when allegations were confirmed in relation to a data breach affecting 87 million Facebook users. A former employee at Cambridge Analytica, a data analysis firm specialising in psychographic modelling, provided testimony to the Times and The Guardian that Cambridge Analytica had purchased this Facebook data in 2015 from an academic, Aleksandr Kogan.

In 2014, Kogan circulated a personality quiz on Facebook. Users could only take the quiz after consenting to allow the application to ‘scrape’ data from their Facebook profile, and from the Facebook profiles of their unwitting Facebook friends. About 270,000 people took the quiz, but through the friends’ profiles loophole data was obtained from up to 87 million users.

Facebook applications were permitted by Facebook’s terms of service (‘terms’) to access friends’ profiles for certain purposes until 2014. Kogan’s application had ostensibly stated that the data was being collected for academic purposes, a practice allowed by the terms. When Facebook learned that the data had in fact been sold to Cambridge Analytica in breach of the terms, it immediately secured assurances from Cambridge Analytica and Aleksandr Kogan that the data was destroyed. However, it never followed up to ensure that such destruction had taken place. Furthermore, it did not inform users’ of the breach involving their data.

When the breach was confirmed, Facebook publicly acknowledged the importance of data privacy and that their response to the breach had been inadequate. In an interview and in an appearance before a US Senators committee, CEO Mark Zuckerberg admitted that Facebook “didn’t do enough to prevent these tools [including data scraping] from being used for harm”. Through announcements on Facebook and in newspapers, a message from Zuckerberg said: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you”. Facebook also belatedly took steps to make affected users aware that their privacy had been breached, and announced a system to make all users more aware of the information that they share when they use certain applications on Facebook.

Facebook further promised to apply globally the “spirit” of the protections of the EU General Data Protection Regulation (GDPR) which came into effect on 15 May 2018. The GDPR seeks to guarantee digital rights for EU citizens, including data privacy protections irrespective of the location of the data. However, Facebook’s promise to adopt the GDPR was almost immediately questioned when it elected to move more than 1.5 billion users out of the reach of the new privacy laws.