The Facebook-Cambridge Analytica story continues to expand as the number of those affected by the data sharing kerfuffle now reportedly numbers 87 million, up from the 50 million Facebook had originally announced.
Of those 87 million, approximately 2.7 million were European. Facebook has expressed a “willingness to engage” with EU regulators after it was also revealed that 2 billion profiles were scraped. In a press briefing Thursday, Christian Wigan, a spokesman for EU Justice Commissioner Věra Jourová, said Jourová has communicated with Facebook “to arrange for high-level contacts in the coming days.” In a tweet, Jourová said the company “needs to step up the response and protect European data.”
Jourová also said she is in talks with the U.K.’s Information Commissioner’s Office and Article 29 Working Party Chairwoman Andrea Jelinek about the new revelations. Last week at the Global Privacy Summit, Jelinek said the ICO is the lead authority investigating the incident.
The comments come after an apparent about-face from Facebook CEO Mark Zuckerberg, who suggested in an interview with Reuters earlier this week that Facebook would not apply the controls it has set up to meet the high-level compliance standards of the upcoming EU General Data Protection Regulation worldwide. Not long after the Reuters report and during a conference call with reporters, Zuckerberg refuted the story, saying, “Overall, I think regulations like this are very positive. … We intend to make all the same controls available everywhere, not just in Europe.”
Facebook Chief Operating Officer Sheryl Sandberg has also been making the media rounds. She spoke with NPR about the data-sharing incident and said the company will notify those affected once they figure out who was affected.
Sandberg also said she believes the company did not violate its 2011 consent decree with the U.S. Federal Trade Commission. “I think we’re very confident that that was in compliance with the FTC consent decree,” she said. According to Bloomberg, however, a spokesperson later clarified that Sandberg was referring to the data collected about users’ friends when 270,000 users shared data with a psychology quiz app. That data was later shared with Cambridge Analytica.
But not everyone agrees with Sandberg. In a scathing blog post for the Harvard Law Review Blog, former FTC Bureau of Consumer Protection Director David Vladeck, who worked on the Facebook consent decree while at the Federal Trade Commission, suggested the company may have been a “venal” actor and now has three strikes against it.
“I didn’t think that Facebook fell into the ‘venal’ category when the FTC first investigated the company eight years ago,” he wrote. “But Facebook’s enabling of the Cambridge Analytica campaign suggests that I may have been wrong. Facebook is now a serial offender.”
Vladeck contends that this is the third strike against the company: The 2007 Beacon incident being the first; the 2009 incident that brought the 2011 consent decree being the second.
“Facebook can’t claim to be clueless about how this happened,” he said. “The FTC consent decree put Facebook on notice. All of Facebook’s actions were calculated and deliberate, integral to the company’s business model, and at odds with the company’s claims about privacy and its corporate values.”
As a result, Vladeck contends, “The better approach would be for Facebook to acknowledge that it violated the consent decree and to come to the FTC with specific proposals for serious and enduring reform.” He suggests the company should have systems in place to prevent third parties from accessing user data without robust controls and clear notice when a third party does want access. He also says Facebook must build accountability systems to demonstrate user consent and develop controls to audit third parties when they do access user data, as well as provide remedies when enforcement is needed.
To the public, Vladeck says Facebook should appoint a “data ombudsperson” and create an independent group “outside the company that have unfettered access to Facebook data and employees to ensure that Facebook is now, finally, honoring its commitments to users, and this group should periodically report its findings on Facebook’s compliance.”
The Cambridge Analytica revelations are not the only issues affecting Facebook this week, either. The Electronic Privacy Information Center, in conjunction with several other consumer groups, said they will file papers asking the FTC to investigate Facebook’s facial recognition technology. EPIC Executive Director Marc Rotenberg said, “The problem is that the people Facebook is trying to ‘tag’ did not consent to being identified.”
In response, Facebook Deputy Chief Privacy Officer Rob Sherman said, “Our face recognition technology helps people manage their identity on Facebook and makes our features work better for people who are visually impaired.”
CNBC also reports that Facebook was in talks with a number of top hospitals and other medical groups proposing they share anonymized data about patients with the company. Facebook had intended the information be used to help hospitals identify which patients need special care or medical treatment. A Facebook spokesperson said, “This work has not progressed past the planning phases, and we have not received, shared, or analyzed anyone’s data.”
Next week, Zuckerberg will testify on Capitol Hill about the Cambridge Analytica revelations. Meanwhile, countries across the world, including Canada, the U.K., Australia, New Zealand, China and Indonesia are either monitoring the Facebook situation or launching investigations into Facebook’s data-sharing practices.