Suggested Posts

The Great Hack

Finding the relevance of the Netflix documentary in the Australian context.

This Article was published in the Conference Edition of the GRC Professional Magazine.

Near the end the Netflix documentary played a clip from Guardian investigative journalist Carole Cadwalladr Ted Talk titled the Facebook’s role in Brexit—the threat to democracy.

And what you don’t seem to understand is that this bigger than you. This is bigger than any of us. And it is not about ‘left’ or ‘right’ or ‘leave’ or ‘remain’ or ‘Trump’ or ‘not’. It’s about whether it’s actually possible to have free and fair elections ever again

While this quote seems specific to the United States and even the UK data regulation and responsibilities around data stewardship have international implications.

The role Cambridge Analytica played to secure victories for the Trump and Brexit campaigns by using Facebook data is one that has raised critical questions surrounding the value and ethical use of data.

Such questions have become even more pertinent, with the recent passing of the consumer data right through Parliament here in Australia, and with ongoing discussions on consumer data rights in the energy sector. Similarly, the Australian Competition and Consumer Commission (ACCC) has just released their digital platforms report.

New Netflix documentary film, The Great Hack, follows the journey of Professor David Carroll, a one-time app developer who launched a case against Cambridge Analytica to retrieve the data held on him by the company. The film also follows former-employees-turned-whistle-blowers Brittany Kaiser and Christopher Wyle and focusses on how they used data to find and target the ‘persuadables’ to push the campaign in the direction in which they have been hired to promote it.

Another key figure is writer and investigative journalist Carole Cadwalladr, who uncovered links between Cambridge Analytica and the Leave BREXIT campaign.

When it comes to the relevance of such issues in Australia, as in the film, if one looks beyond political partisanship and poor media literacy, then what it boils down to is data protection and consumer consent. And, as a data steward here as elsewhere in the world, Facebook has consistently failed to protect consumers against their data’s use without their consent.

When the Cambridge Analytica story broke, Acting OAIC Commissioner, and now Commissioner Angelene Falk, made a public statement about the investigation into Facebook on the basis that 300,000 Australians may have been affected and that their data may have been acquired without authorisation.

At the time, Falk reiterated that all Australian organisations were covered by the Privacy Act and that consumers must be notified about the collection and handling of their data.

Last year, the Commissioner spoke at the iappANZ 2018 Summit and said, in the context of Facebook and Cambridge Analytica:

And from my perspective, following the Facebook-Cambridge Analytica incident, I saw Australians witnessing what I describe as the “dawning of digital data”, and all its implications.

Then, in July, Facebook was slapped with AUD$ 7.1 billion (US $5 billion) fine by the Fair Trading Commission (FTC).

Speaking at a press conference on 24 July, FTC Chairman Joe Simons said:

The magnitude of the $5 billion civil penalty we have imposed is unprecedented in global privacy enforcement. This penalty is more than 200 times greater than the largest privacy penalty previously imposed in the United States and is more than 20 times greater than the largest fine imposed in Europe pursuant to the General Data Protection Regulation. Five billion dollars is approximately 9% of Facebook’s 2018 revenue, and approximately 23% of its 2018 profit.

He added that:

This penalty is also one of the largest civil penalties—for any type of conduct—in US history, alongside cases involving enormous environmental damage and massive financial fraud. The enormity of this penalty resets the baseline for privacy cases and serves as an important deterrent for future order violations.

And more is being done in the United States to protect consumer data under the California Consumer Privacy Act, which is set to come into effect next year.

This was something alluded to at the annual Risk Map Breakfast held Sydney in January by Control Risks. Speaking at the same, Senior Partner Control Risks, Dane Chamorro, said, “It’s our form of the GDPR [General Data Protection Regulation] and it grew out of the Facebook and Cambridge Analytica scandal. It is about data privacy, and you’ve got a little over a year to get compliant with it before it’s finished in all of its forms.”

The GRC Professional Podcast spoke to Bronwyn Gallacher from CCL Consultants on the topic of consent and businesses’ use of consumer data. Like the OAIC Commissioner, Gallacher highlighted the importance of adhering to the Australian privacy principles (APP) and the importance of monitoring and auditing existing privacy principles:

I think generally, from what I see, companies have privacy policies in place—whether or not they are actually monitoring them and auditing them can sometimes be another matter. And I guess what the new horizon is, or what we can call it, is whereby consumers are not just necessary filling out a form in a bricks and mortar location but rather providing information by way of the internet and they might disseminating that information to Australian-based companies who may be distributing it to other third parties, and/or alternatively, they might be distributing that information to international-based companies but not really understanding where their data is going, assuming that they’re Australian based.

Falks’ ‘dawning of new digital era’ and Gallacher’s ‘new horizon’ relate directly to the theme The Great Hack’s protagonist is trying to address—that is, the question of ethics surrounding data collection and data used that exists beyond the dissolution of the Cambridge Analytica and Facebook fines.

To date, the only real response has been a fragmented regulatory approach from different jurisdictions.

No tags yet.

©2018-2019 by The GRC Institute - Governance, Risk & Compliance.  ABN: 42862119377