The Cambridge Analytica case. The British company is accused of recovering and using personal data from 50 million Facebook users to weigh in Donald Trump’s presidential campaign in the United States. Cambridge Analytica refutes “firmly” any accusation. The problem however is not limited to Facebook. All major internet operators have a wealth of personal data – big data – that can potentially be used as “merchandise” for both advertisers and politicians. This poses not only a general problem of protection of personal data, but also, in consequence, a problem of freedom of expression. The European Union has been trying to regulate for many years the problem of privacy  first with the 1995 directive and now with a regulation (679/2016), which will apply in all member countries of the Union from 1rst of May 2018. Libex offers Oreste Pollicino‘s analysis of both the Cambridge Analytica case and the potential impact of the EU Regulation to avoid such a problem. An article published in the Sole 24 Ore of 23 March 2018. Thanks to Oreste Pollicino for allowing us to republish it. Oreste is co-author with G. Pitruzzella e S. Quintarelli of the indispensable book (in Italian): “Words and power, freedom of expression, hate speech and fake news“, Egea 2017.

The “third season” of information
of Oreste Pollicino

The news on the Cambridge Analytica event comes in the days when the Commission of Italian experts, of which the writer is a member, is finishing to rewrite the Italian legislation on the protection of personal data to adapt it to the EU Regulation (679/2016) that may change the rules of the game. We have entered a new season of privacy: that of the political relevance of personal data and the need for its protection to prevent or mitigate the risk of violations. These are functional violations that pollute the process of forming public opinion.
Let’s take a step back: the rhetoric linked to the data theft that has accompanied this story is misleading. A fake news. There has been no stealing of data from Cambridge Analytica, but a spontaneous “release” of the same data by a few thousand users who have used an application to participate in some online personality tests. So far everything (more or less) legitimate.

However, two problems emerge

Problems arise from here on, and they are essentially two.
First, the type of use of those data by the company.
Secondly, the social contagion resulting in the appropriation, this time illegitimate, by Cambridge Analytica, of an exponentially higher number of information compared to those initially collected.

Regarding the first problem, the legitimately collected information was however used in order to create personalized messages aimed at influencing the user’s political choices. And this is illegitimate. Here is the manipulation of personal data that characterizes this new season of privacy.

The second problem is even more delicate: the exponential amplification of the illegitimate use of the information collected and manipulated. An amplification due to the mechanism of “virtual friendships” of those who resorted to Facebook’s credentials to use the application, up to involving, it is said, almost 50 million users. There are two certainties that seem to to merge from a still, on the whole, very nebulous and confusing scenario.

The first certainty

As we said at the beginning, we officially entered the third season of relevance of personal data. There have been two seasons: the first season was linked to the use of data to create increasingly surgical advertising messages. The second was the functional one for access to user data by the public authorities in order to adopt increasingly targeted anti-terrorist prevention policies. Now, it emerges clearly and alongside the previous ones, a new dimension, perhaps more disturbing because new and unpredictable until a few months ago. Reference is made to the political relevance of personal data, whose distorted use is used to pollute the processes of public opinion formation, especially during electoral rounds.

The Second certainty

The antagonism of European privacy versus US privacy no longer seems able to represent the privileged perspective through which to look at the problem of the protection of personal data in the Internet age. The Cambridge Analytics case reveals a global impact and relevance of the possible illegal uses of personal data. Therefore, the answer can only be as global as the problem. A European fortress to protect the privacy of the old continent, impregnable inside it, although at the forefront with regard to the level of data protection, seems, at the same time, unable to intercept the dangers of a global “contagion” and to prevent the consequences. Thus, there is the risk that such a protection becomes a simulacrum devoid of any effectivity. Moreover, and it would perhaps be the greatest failure, conduce to moral suasion of public and private non-European powers.

A fortress without drawbridges, that is without interconnection with the outside, is a useless fortress.

Oreste Pollicino is Professor of constitutional law, Bocconi University Member of the working group chaired by Professor Finocchiaro and in charge of adapting Italian legislation on personal data to the EU Regulation 679/2016

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=IT