The public outcry from the aftermath of Facebook’s largest breaches of information privacy to date has highlighted the necessity for more comprehensive data privacy regulation. Transparency and respect for user consent are fundamentally absent from current data practices, and accordingly sufficient consumer protection laws must be put in place to combat the misuse of sensitive or unsolicited data.

What steps can be taken to ensure consumers have full sovereignty over their own personal information?

What happened and who is responsible?

Data brokers such as political firm Cambridge Analytica, ousted for the Facebook breach and infamous for the exploitation of consumer data through controversial tools influencing the Trump campaign, operate in a largely invisible industry worth billions. Compiling databases spanning thousands of data segments used to profile consumers, data brokers sell off information that can be capitalised on for political and financial gain. Advertisers, often the recipients, utilise this third-party data on a daily basis to target users with products and services catering to their demographics.

Third-party access to user information and their social networks through Facebook-linked applications enabled Cambridge Analytica to procure the data of 87 million users worldwide; a conservative figure at best. Amidst accusations of predatory practices, the company has issued major reforms by limiting developer access to account data and no longer permitting the use of third-party data for targeted advertisements. Facebook CEO Mark Zuckerberg reassured their stance on the matter stating, “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you”, since proactively seeking out and suspending affiliated data analytics firms AggregateIQ and CubeYou to curb further data leaks. 

Silicon Valley has remained unregulated since the dawn of the information age, allowing the tech industry to flourish and innovate in an unprecedented rate. It was inevitable that with such expansive growth it would naturally incur policing, but the main question is whether we can find a compromise. Promising to self-regulate and place consumer data protection at the forefront of their concerns, Facebook faces multiple class action lawsuits from high profile firms Hagens Berman, Scott + Scott LLC and Pomerantz LLP. Australian privacy laws fall short in consumer protection in comparison to our counterparts in the United States, preventing Australian citizens from pursuing legal proceedings overseas against the major tech giants of Silicon Valley such as Google, Apple and Amazon for suspected data privacy violations. Accordingly, Australian privacy commissioner Angelene Falk has announced her offices’ intention to conduct a comprehensive investigation into Facebook’s compliance with the Privacy Act, urging that organisations should be “taking reasonable steps to ensure that personal information is held securely”. Self-regulation thus far has proven to be too unreliable, indicating that governmental intervention may be necessary for the protection of consumers.

A rare congressional joint hearing with the Senate Judiciary and Commerce Committees held in Washington saw Mark Zuckerberg testify and answer the hard questions regarding Facebook’s data practices. The outcome is still undetermined and a legislative response is improbable to be implemented soon considering the Congress’ lack of understanding about the industry, made evident by the many misguided questions presented.

What can be done to mitigate these concerns and protect consumers?

Consumer awareness of these data practices have only just begun to propagate amongst the public in the wake of this ‘game-changing’ scandal. We have become accustomed to the narrative of malpractice and become complacent regarding who we trust with our data. How often do you accept privacy policies and terms of service without properly understanding what you are assenting to? Consumer negligence undeniably allows companies to circumvent accountability, continuing to allow ‘lax to non-existent enforcement practices’ through hidden clauses permitting the sharing of data. While enterprise-level responsibility is necessary, consumers should be more conscious protecting their own data and only sharing personal information in the context of understanding the potential implications. With no imminent data privacy regulation, consumers should take reasonable precautions when providing personal information online with full acknowledgement of the inherent risk.

Consent agreements should be more strictly regulated, imposing restrictions on misleading or obscure clauses to ensure consumers are fully aware of the privacy rights being waived. Upfront transparency about what data is being collected, and how this data is utilised will provide consumers with the knowledge necessary to make informed decisions regarding consent. The onus should not lie with the consumer to attempt to find, read through the fine print, and understand complex terminology. While progression has been made to ensure our data is handled ethically, how Congress reacts by either allowing Facebook to continue to self-regulate or intervene by enforcing regulation will have broad implications across the tech industry. It is a difficult and fine line to walk, but whatever form this regulation takes will set a precedent for other digital services in addressing consumer data privacy concerns. A reactionary response that is hastily implemented to accommodate immediate concerns would certainly trigger conflict with the major players, and will require cooperation on both fronts to find an effective solution.