It will come as a surprise to many users of social media, not just Facebook but more broadly, just how much personal data we throw into the internet ether.
Every click entered, every advertisement followed, every connection made, is monitored and tells someone something about us.
There are two central allegations against Facebook and Cambridge Analytica. First is that users were not made sufficiently aware that their consent included the commercial use and disclosure of their data. Second is that user consent was given for one purpose, but data was processed and disclosed to organisations that would use it for an entirely different purpose.
Facebook and Cambridge Analytica maintain their position that they acted lawfully throughout and the allegations have yet to be investigated by the relevant authorities, much less proved.
From a data processing point of view, it is all too easy to fall into error.
Say I am a director in a company. A customer purchases a product from my website. I think they might be interested in complementary or future product lines, and so I pass their data to someone in my marketing department, who then sends the customer a helpful marketing email.
Without consent, that is a breach of the Data Protection Act.
One of the problems here is that if companies were to provide consent forms for all the purposes for which they want to process data, these consent forms would be pages long. Most research suggests that we as consumers do not read the fine print of the terms and conditions before we tick that “I agree” box as it is.
But a more fundamental issue is that we post our personal data on social media sites each day. The data is out there for the taking. It is a short step for data harvesters to process that information and use it.
How, in reality, can this be prevented, and where does informed consent come into the debate?
Social media is designed for – indeed, its raison d’etre is – the sharing of personal data. The basis of the “deal” we enter into with our social media platforms is this: we give them data and they give us a free service (hence the well-known warning “if you’re not paying for it, you’re the product”).
There are billions of users, and I would gently point out that not all of them are likely to read the fine print of the consent forms that they are “tick-boxing”.
I would suggest that we tacitly accept – and, indeed, perhaps expect – our personal data to be used and processed by those who pay the platforms (advertisers and political parties and their consultants) so that we can continue to enjoy the service for free.
The legal framework is there, it is true, to regulate data processing. I suggest, though, that regulators are limited, given the numbers of users and the amounts of data, to investigating and preventing the worst excesses.
That said, those whose job it is in companies to process the personal data of employees, clients, customers and suppliers need to be on all fours with the law as it now stands, and with the new General Data Protection Regulation, when it comes into force in May.
What the current data row implies is that while we might be tacitly prepared to have our data used by retailers, we are not willing to have it used by those who might want to influence our politics. Consent is a tricky thing, and companies need to have explicit consent for the actual purpose for which they are going to use the data.
But we all need to be more vigilant about the boxes we tick, and the data we so freely give away.