• Daniel Bruun
The purpose of this thesis has been to investigate, whether Facebook and Cambridge Analytica have violated the provisions in the EU’s General Data Protection Regulation. Furthermore, the thesis similarly explored the possibility that the implicated companies may be sanctioned as a result of their conduct and actions in the recent case.

This study has been completed on the basis of the relevant legal sources and certain news articles, which serves as the factual evidence in the Cambridge Analytica case. Additionally, the study has revolved under the underlying assumption that the legal problems in the case will be decided by the provisions in the new Regulation and not the old Data Protection Directive.

Initially it was explored whether the factual circumstances of the case, satisfies the substantive and territorial requirements of the Regulation. The case pertains to the processing of highly sensitive personal information on 87 million Facebook users, which has been conducted from Cambridge Analytica’s office in Britain. It can therefore be concluded that the provisions in the Regulation are applicable in this case.

Subsequently, the study examined the legality of Cambridge Analytica’s activities. It could be rejected that the Facebook users had forfeited their data rights by making the information available on Facebook. Furthermore, it was not substantiated that Cambridge Analytica ever held any lawful basis that justifies the alleged activities of the company. Cambridge Analytica has therefore failed to meet the foundational principles that applies to the processing of personal data, which are stated in the Regulation.

The study similarly found that Facebook has failed to honor the obligations, which applies to the data controller. Specifically, the company has not succeeded in securing an adequate level of data security that could have protected the data from being exploited in conjunction with unlawful purposes. Facebook also failed to disclose, to the concerning data subjects and relevant supervisory authority, respectively that it had become aware of a data breach. It could therefore be concluded that Facebook also have failed to meet the basic principles that applies to the data controller as stated in the Regulation.

Lastly, as the case pertains to infringements of the core processing principles in the Regulation, the most burdensome sanction is applicable against both companies. Facebook can therefore receive an administrative fine of 4 % of its total worldwide annual turnover. Cambridge Analytica has begun insolvency procedures which makes it harder to predict the legal ramifications for the company. However, the British Data Protection Agency (ICO) has stated that it currently holds every legal opportunity open, as it continues its investigation of the Cambridge Analytica case.
Publication date17 May 2018
Number of pages58
ID: 279403076