Why the Cambridge Analytica-Facebook scandal is a wake-up call for all governments: Seven steps for a global response

As we said before, Facebook and Cambridge Analytica scandals are a wake-up call for policy makers. And also a global issue. People around the world are concerned by the exploitation of their data. The current lack of transparency into how companies are using people’s data is unacceptable and needs to be addressed.

There is an entire hidden ecosystem of companies harvesting and sharing personal data. From credit scoring and insurance quotations to targeted political communication, this data is being used for far-reaching purposes. And while there are some personal data and consumer protection laws around the world, they are full of loopholes and tend to lack solid institutions and enforcement mechanisms.

Data isn’t stopping at the borders and our rights and protections shouldn’t either. Companies are using countries with low protections as testing ground for worst practices. They are also pushing a race to the bottom on privacy regulations in international negotiations, and doing their best to evade enforcement where there is any. It is important to note that governments have played a key role in enabling and supporting such a context of data exploitation by failing to adopt and enforce robust legal and regulatory frameworks to ensure the privacy of their citizens are protected, within their jurisdictions and beyond.

It is about time to come up with much needed global safeguards to protect our data. Here are seven ways in which states and international bodies should respond to these scandals:

1) Push for global awareness of data exploitation as an interference with the right to privacy.

Privacy is a universal human right, yet the possibilities of interfering with this right have grown exponentially. The recent scandals involved operations in the United States, United Kingdom, Kenya, Mexico, Colombia, Argentina and more. Our rights don’t stop at the borders: states and companies have obligations and responsibilities to respect and protect the confidentiality of our communications and data, without regards of who has and where it is. Currently, the High Commissioner for Human Rights of the United Nations is working on a new report on the right to privacy in the digital age to be presented this year. And an open consultation is open until next April 9. It is an excellent opportunity for the UN to address how data exploitation is expanding and interfering with the human right to privacy.

See Privacy how International is working at the UN, and a brief guide on how to talk about the right to privacy at the UN

2) We need robust and enforceable privacy, data protection and security safeguards, not market-driven ‘Data Ownership’

People should be in control over their data, no matter where they are and no matter who holds it. Yet, companies and governments everywhere are promoting the idea of ‘data ownership’. Ownership implies that people can sell away their fundamental rights. This is a false solution that risks exacerbating the imbalance of power rather than addressing it. We need comprehensive data protection laws and other regulatory mechanisms that are designed to safeguard people, not business models nor state control over their citizens. Also regulations that encourage healthy competition, not data monopolies. The latter will only result in the exploitation of people’s economic concerns at the expense of their personal data and fundamental right. Privacy shouldn’t be a luxury.

See Privacy International’s work on modernising Data Protection Laws around the world.

3) Data Protection and other regulatory frameworks need independent and well-resourced enforcement bodies

The recent scandals show that even blatant violations of the law only ever reach the public eye if someone investigates. Data protection and consumer protection regulatory bodies play invaluable roles by instigating investigations, responding to complaints and taking enforcement action. That is why data protection laws should create strong, independent and properly resourced enforcement bodies with the capacity to carry out their own investigations into abuses. This is an essential component of enforcement to guarantee that these rights are respected for everybody, and not only for the powerful.

4) Loopholes shouldn’t render privacy and data protection laws ineffective.

Across the world, privacy and data protection laws include exceptions that could render them ineffective. Wide and indiscriminate exceptions are a Trojan horse threatening the protection of personal data. Blanket exceptions for public institutions, law enforcement, intelligence agencies, political parties, small and medium enterprises and other actors, along with the poor regulation regarding the processing of data obtained from ‘public sources’, are currently threatening personal and sensitive data, to be used in ways we are unaware of and against our will. Another loophole is the lack of regulation of international data transfers, which allows governments and companies to move our data to jurisdictions with poor regulations, without any assessment of the adequacy of their systems.

5) Individuals need effective remedies against unlawful practices.

Even where data protection laws are in place, exercising data protection rights can be a burdensome task, especially when there are no data protection agencies, or when complaint mechanisms are obscure and/or expensive. That is why we need effective remedies, that not only address the current violation but also deter from similar scandals. Often individuals do not know that their data has been exploited and the harm is a degree (or more) removed from the visible impact. That is why there is need for procedures to allow non-profit organisations to pursue data protection infringements on their own initiatives and seek remedies to benefit all those affected.

6) Privacy is a fundamental right, not a commodity to trade away in international agreements.

Free trade agreements are increasingly addressing data an e-commerce issues, pushing narratives with ‘free flow of data’ as a default norm, enabling and encouraging massive and indiscriminate global data exploitation models, and pushing privacy and data protection rights into exceptions,presenting them as burdens which hinder innovation and prosperity. Trade negotiators should treat data as a fundamental right, not a commodity or a bargaining chip. Our rights should flow alongside our data throughout the data life cycle.

7) Data protection should not be an excuse to enable more surveillance.

What makes our data safer is the adoption, implementation and enforcement of comprehensive data protection laws, along with security policies and technical measures, nor forcing its sharing, and neither providing direct access to law enforcement agencies. These proposals to expand surveillance powers shouldn’t be used to justify the increasing processing of personal data, and threats of data exploitation and cybersecurity should also not be an excuse to increase State surveillance powers.