Skip to content

Kelsey Farish

  • Home
  • About
    • portfolio
    • Contact
    • T&Cs
    • Privacy Notice
  • LEGAL TOPIC
    • Confidentiality
    • Copyright
    • Data Protection
    • Expression
    • Image Rights
    • Publicity
    • Privacy
    • Reputation
    • Trade Marks
  • BUSINESS SECTOR
    • Advertising
    • Artificial Intelligence
    • Brand Management
    • Deepfakes
    • Digital Platforms
    • ecommerce
    • Fashion
    • Film and TV
    • Music
    • News Media
    • Photography
    • Social Media
    • Sports
    • Start-ups
  • Student Resources
    • Frequently Asked Questions
    • Buy my Bar Exam Study Schedule
    • upcoming events
    • case references
  • Home
  • About
    • portfolio
    • Contact
    • T&Cs
    • Privacy Notice
  • LEGAL TOPIC
    • Confidentiality
    • Copyright
    • Data Protection
    • Expression
    • Image Rights
    • Publicity
    • Privacy
    • Reputation
    • Trade Marks
  • BUSINESS SECTOR
    • Advertising
    • Artificial Intelligence
    • Brand Management
    • Deepfakes
    • Digital Platforms
    • ecommerce
    • Fashion
    • Film and TV
    • Music
    • News Media
    • Photography
    • Social Media
    • Sports
    • Start-ups
  • Student Resources
    • Frequently Asked Questions
    • Buy my Bar Exam Study Schedule
    • upcoming events
    • case references

The Six Principles of Data Protection: Facebook fails

March 31, 2018October 22, 2020 Kelsey Farish Leave a comment
The Six Principles of Data Protection: Facebook fails

Facebook may believe that dubious data collection and security practices justify a more connected audience: the incoming General Data Protection Regulations say differently.

Once again, data privacy is in the headlines. But this time, it isn’t a credit agency or department store that has fallen short of consumer expectations: instead, it’s Facebook. Much credit is due to Carole Cadwalladr and her team at The Guardian, who first broke the the Cambridge Analytica story.

#DeleteFacebook was trending on Twitter for a while, and I myself was considering ditching my account – not least because I simply don’t use Facebook often. While I’ve decided against deletion, I was genuinely saddened – although, in retrospect, not surprised – to come across the leaked 2016 “Ugly Truth” Memo from a Facebook executive Andrew “Boz” Bosworth. You can see the Memo in full at Buzzfeed, but the part that hit me hardest reads as follows:

We connect people. Period.

That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.

The natural state of the world is not connected. It is not unified. It is fragmented by borders, languages, and increasingly by different products. The best products don’t win. The ones everyone use win.

“Questionable contact importing practices”? By Bosworth’s own admission, “the ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is de facto good.”

The General Data Protection Regulations (GDPR) say differently. With less than two months to go until the implementation date of 25 May (!) I’ve set out a little refresher on the main responsibilities for organisations below.

Article 5 of the GDPR contains Six Principles of personal data collection and processing. The data controller (the company collecting or otherwise controlling the data) are responsible for, and must be able to demonstrate, compliance with these principles.

(A) Processed lawfully, fairly and in a transparent manner.
A company collecting data must make it clear as to why the data are being collected, and how the data will be used. The company must provide details surrounding the data processing when requested to do so by a person whose data is collected (the “data subject”). “Questionable practices” are likely neither fair nor transparent!

(B) Collected for specified, explicit and legitimate purposes.
Have you ever filled in a form, only to think, “why am I being asked this question?” This principle states that organisations should not collect any piece of personal data that doesn’t have a specific purpose, and a data subject must give explicit consent for each purpose. A lawful purpose could mean fulfilling a contract: for example, your address is required for shipping something you bought online.

(C) Adequate, relevant and limited to what is necessary.
Companies strive to understand customer buying behaviours and patterns based on intelligent analytics, but under this principle, only the minimum amount of data required may be stored. Asking for one scanned copy of a drivers’ licence may be adequate, but asking for a drivers’ licence, passport, and birth certificate might be more than necessary.

(D) Accurate and, where necessary, kept up to date.
Controllers must ensure personal data is accurate, valid and fit for purpose. Accordingly, data subjects have the right under Article 16 (Right of Rectification) to rectify any personal data held about themselves.

(E) Kept for no longer than is necessary.
This principle limits how data are stored and moved, and for how long. When data is no longer required, it should be deleted. This is closely related to the Right of Erasure (“Right to be Forgotten”) under Article 17, which I previously wrote about in respect of the Google case in England.

(F) Processed in a manner that ensures appropriate security.
This principle is perhaps what most people think about when they think of data protection. It means that IT systems and paper records must be secure, and the security must be proportionate to the risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR!

In 2016, a Gallup study found that Millennials (those of us born between 1981 and 1996) are generally aware of potential data security risks, but less likely to be concerned about them. Prior to familiarising myself with these principles, I simply thought data protection was another phrase for “IT security”. I thought it was just about firewalls, encryption, and outsmarting hackers.

But in the months I’ve been helping clients to get ready for the GDPR, I’ve realised that compliance is about more than just having strong passwords: it really is a mindset. That’s what’s so disappointing about Facebook’s apparent attitude towards the end consumer, in which people are seen only as a series of clicks or “likes” which can be analysed, predicted, and manipulated – at any cost. My Facebook account may remain active, but I for one will certainly be less engaged.

Photo credit – Book Catalogue

Cambridge Analyticadata protectiondigital mediaFacebookGDPRprivacytechnology

Related Posts

A Lawyer’s Take on Social Media Misdeeds: Part 1
A Lawyer’s Take on Social Media Misdeeds: Part 1
Her Private Pain: £15,000 awarded for misuse of private information on Facebook
Her Private Pain: £15,000 awarded for misuse of private information on Facebook
Using AI in Film Studio Decision-Making
Using AI in Film Studio Decision-Making
Deepfakes: 2019 in Review
Deepfakes: 2019 in Review

Post navigation

Project Gutenberg: the German edition?
No more Safe Harbours for EU-ser Uploaded Content?

Leave a Reply Cancel reply

Kelsey Farish

Kelsey Farish

Media + Tech Lawyer

Got lost on my way to drama school, now a media and technology lawyer in London.

I write about deepfakes, publicity, privacy, advertising, the audiovisual sector, and creative industries from a legal perspective.

Follow me on Twitter

My Tweets

You might also like to read:

Facebook comments as “reviews”
Advertising ➤ October 17, 2017

Facebook comments as “reviews”

Reviews are powerful marketing tools. From making dinner reservations to buying a new pair of shoes, I very rarely part with my hard-earned cash before checking out the ratings and comments online. I also follow...

Read More
France vs Russia in media regulator showdown
Film and TV ➤ July 11, 2018

France vs Russia in media regulator showdown

France’s broadcasting regulator recently issued a warning to the French division of Russian television channel RT for falsifying facts in a programme about the use of chemical weapons in Syria. The following day, the Russian state media regulator accused French television channel France 24 of violating Russian media laws.

Read More
UK regulator to investigate social media influencers
Advertising ➤ August 22, 2018

UK regulator to investigate social media influencers

A number of celebrities and social media stars are being investigated by the Competition and Markets Authority, which says it has concerns that some influencers are failing to disclose that they are being paid for...

Read More

Subscribe

Stay up to date by subscribing and receive my posts by email.

  • Law
    • copyright
    • human rights
    • privacy law
    • trade marks
  • Fashion
    • advertising
    • celebrities
    • ecommerce
    • instagram
    • marketing
    • personality rights
  • Media and Entertainment
    • celebrities
    • cinema
    • digital media
    • free speech
    • journalism
    • music
    • sports
    • television
  • Digital Culture
    • artificial intelligence
    • image rights
    • deepfakes
    • privacy
    • reputation
© 2021Designed by Little Theme Shop