April 3, 2018
If the Cambridge Analytica data mining scandal has hammered home one thing, it is that data is the fuel keeping our increasingly digitized economies running. Whistle-blower Christopher Wylie, who testified last Tuesday to the House of Commons’ select committee on the matter, said as much when he compared data to electricity in our modern societies. This is hardly an exaggeration. And given that data mining proved crucial in swinging the 2016 Brexit vote and the US presidential elections, one thing is certainly clear: 2018 will be a pivotal year in the campaign for better data protection regulations.
The latest revelations have given new urgency to the development of data protection laws across all online sectors and highlight the need to curb the power of internet firms, as well as of the secondary industries that spawned during their rise. Although scepticism about what exactly happens to the data Facebook and Google collects on its users is nothing new, the braggadocio of Cambridge Analytica’s disgraced CEO Alexander Nix to an undercover reporter has put the final nail in the coffin of public trust in online companies.
Popular concern about the collection, sale and use (or misuse) of private data is no longer an abstract concept. In an unprecedented blow to the “innovators” of the digital industry, the scandal has painfully exposed the total lack of accountability of global internet giants. Now, policymakers are confronting a truly postmodern paradox, where online corporations know far too much about individual online users, and disturbingly little about third-party programmes linking themselves into social media’s data streams.
Facebook, of course, has received most of the bad press, and deservedly so. Most of the focus is on company’s insistence of having been “deceived”, regardless of all evidence to the contrary. However, the matter of consumer protection goes far beyond Facebook. The collection of user data is an issue that affects all internet activities, including especially sensitive ones such as online banking and the use of cryptocurrencies. The fact Facebook has already forayed into these sectors should merely serve as an extra impetus for adapting existing laws to the realities of the twenty-first century.
No surprise then that digital payment companies were some of the first to question the security of transaction data transferred via Facebook and Google. Especially after Google joined Facebook-owned WhatsApp in partnering with various banks to enter the murky waters of India’s payments ecosystem, worries about data abuse thrived. As it turned out, these worries were well founded. Showing just how far India is lagging behind in its awareness of the dangers associated with the online world, the country to date has no laws addressing data theft, be it on Facebook or for currency transactions.
For a country aspiring to become cashless, this is a major problem. In May 2017, the government launched an online payment app, Aadhaar Pay, whose security was promised to be guaranteed through biometrics. Nevertheless, in January 2018, an apparent data leak of over one billion Aadhaar numbers caused a massive media storm. Although the leak was denied by the authorities and the cause never explained, security experts had pointed out a month after the app’s launch that an appropriate security testing and certification framework should be in place in order to ensure that third-party apps would not unknowingly tap into Aadhaar’s system. The subsequent leak suggests that no such testing was done.
While India with its lack of regulation is an extreme example, other regions on the globe are more up to speed. Europe is ahead of the curve with regards to online privacy regulation and is well-positioned to apply regulatory innovations. The Malta Gaming Authority, for example, has become a pioneer in regulating cryptocurrencies and associated data protection. As Maltese authorities have expressed concern over virtual currencies in the past, the MGA is now the first regulatory body of a European country to engage in a tentative “soft roll-out” of blockchain to assess its threats and opportunities.
At the same time, even Brussels is waking up to the new realities. With the General Data Protection Regulation (GDPR), the EU is laying out one of the most comprehensive data protection rules yet. Aside from a “right to erasure” of personal data, the GDPR governs consent and data breaches, and looks to give data protection authorities across the bloc the power to probe online firms where necessary. Most importantly, the GDPR was designed to curb the overreach of the centralized authority model characteristic of blockchain and certain cryptocurrency applications, thereby allowing each user to remain the owner of his online data.
The unfolding Cambridge Analytica-Facebook scandal is a global wake-up call for legislation to catch up to the internet. With social media, online banking and virtual currencies shifting our lives further into the digital realm via, we can hardly trust the underbelly of the Internet with our personal information. Internet firms and the apps that benefit from their operations must no longer be able to do with our personal information as they please, without any legal recourse for users. It is high time those with keys to our online cities were held to account.Meredith Smith