Protecting data caught in the ‘dragnets’ of Facebook

Future trainee Wilkie Hollens explores why protecting data matters in an era when it’s ‘increasingly likely’ we’ll begin falling in love with our computers, in his shortlisted entry to the BARBRI International Privacy Law Blogging Prize

In Spike Jonze’s film Her, a lonely, introverted man falls in love with his computer.

The operating system, voiced by Scarlett Johansson, comes to know and understand the man better than the other women in his life. The film can seem a little unlikely, until you realise that Facebook can know you better than your spouse.

A now famous 2013 study showed an algorithm could better determine a person’s personality traits than other humans by analysing a person’s Facebook “likes”. With just 300 data points, the algorithm could, on average, even outperform the user’s spouse. For those of us ugly enough to avoid such comparison, never fear: with just 70 data points, the algorithm outperformed the test subject’s friends.

As tedious LinkedIn posts like to remind us, using big data is the “next big thing” and it’s hard not to agree in the light of studies like this. But to avoid an outcome like the film Her — a possibility that the researchers described as “becoming increasingly likely” — the team from Cambridge University’s psychometrics lab stressed the importance of data privacy laws to protect users’ data from the incredibly powerful insights that their research demonstrates is possible. But what rights do we have over our data — the data which Facebook (and plenty of others) mine — and what should future laws do to protect people’s data?

Facebook began hinting on how it will comply with the new data privacy regulation in the run up to GDPR’s deadline day. It’s pretty important that they do: fines for non-compliance can reach up to €20m or 4% of global revenue turnover, which in Facebook’s case could stretch over €1.6bn. On the other hand, Facebook’s business model revolves around profiling users and selling ads based on that insight. If GDPR bites too hard on Facebook’s ability to do this, then Facebook will start to lose out in Europe.

At the heart of GDPR is an attempt to give more power to data subjects in how their data is gathered and used. For example, the requirements for consent have been updated and tightened, requiring companies to seek consent to process data for a specific purpose only. But for data mining, consent isn’t particularly helpful; it’s hard to give specific consent to a process which is inherently serendipitous. Part of what makes data mining so exciting is the lucky-dip aspect; companies don’t know what gems they might find if they manipulate and probe their data in the right way.

Fortunately for Mark Zuckerberg, there’s another way to comply with GDPR where consent isn’t first choice: legitimate interest.

Legitimate interest has all the hallmarks of a phrase which will collectively give law students nightmares, but it will allow Facebook to continue profiling its users in order to target adverts. Of course, Facebook will have to show that it has balanced its own interests against that of individual users, but as Zuckerberg was keen to remind the US Congress, its data collection allows it to serve its users better by presenting more relevant ads. After all, who doesn’t want an ad so relevant, it seems as if it were handpicked straight from your brain?

But Facebook has another GDPR shaped hurdle to clear: the principle of purpose limitation.

What this means is that Facebook can’t collect, store and mine every piece of data on you until the heat death of the universe on the off chance that it might be useful in serving you adverts on a pair of shoes you once thought about. They have to have a purpose in mind for using that data, and the data cannot later be reused for something else other than the purpose for which it was originally collected without additional safeguards.

At face value, this sounds quite stringent. On the other hand, it’s hard to say to what level of granularity Facebook must go in telling you what the purpose is and how they plan to achieve this. If you’re brave enough to read Facebook’s data policy, you’ll see that they write: “We use the information we have to improve our advertising and measurement systems so that we can show you relevant ads.” For how long, you ask? “We store data for as long as it is necessary to provide products and services to you and others.” Facebook has defined a purpose, and that purpose is limited in a broad sense of the word, but they appear to have retained enough leeway to keep on mining without considerable hindrance. It seems likely, then, that Facebook will carry on broadly unchanged from how it has been operating thus far, at least when it comes to data mining, provided it documents how it reaches its conclusions regarding legitimate interest.

But future data privacy laws can do better at preventing our data being stored and mined forever.

The default position for websites should be to use only what they immediately need and not to horde data. GDPR goes a long way in preventing the dragnet approach to data collection, but if Facebook’s data policy is anything to go by, collecting enormous quantities of data to be mined for advertising purposes will still persist. Even where this approach is necessary to allow Facebook to build the impressive and intelligent tools which its engineers routinely do, then future data protection laws should limit for how long they can keep the data. Time limited data can still be used to build new products and train new algorithms, and, of course, everyone wants to keep (and be reminded of) those night out photos, but as Facebook looks into collecting more and more behavioural data, such as your eye movements, data privacy law must more stringently limit the length of time this data can be stored and mined to protect users’ security and privacy.

Wilkie Hollens studied English at Oxford before completing the GDL. He currently works for Clyde & Co and will be starting a training contract at Herbert Smith Freehills in 2020.

BARBRI International will be hosting an Independence Day party at its London office on 4 July. Register to attend here.