News & Views

In early April, the world watched as Mark Zuckerberg, Facebook’s Chief Executive, appeared before the US Congress in Washington DC to answer questions regarding, amongst others, the misuse of data harvested by Cambridge Analytica (CA) relating to Facebook users. In the process, Zuckerberg found himself explaining the workings of Facebook to people unfamiliar with social media and revealed some fundamental misconceptions about online privacy and personal data.

One of the mistaken assumptions leading to the CA furore came from the perception that Facebook accounts had been hacked thereby leading to the erroneous conclusion that users’ personal data such as names, addresses, phone numbers, contacts, etc had been unlawfully stolen by CA. In fact, this was not the case. What CA had done was to engage a software developer by the name of Aleksandr Kogan to develop an App which was then promoted on Facebook. When subscribed to and used, the App collected data relating to the profiles of Facebook users and where their privacy setting permitted, the profile data of their contacts. It also collated information relating to their preferences which enabled CA to formulate targeted strategies aimed at people with similar inclinations. The idea of harvesting data this way is not itself novel and is known as psychographic targeting or modelling and in one form or other is used in advertising and marketing strategies. The data collected was then sold to CA.

Unfortunately, the fact that these revelations happened against the backdrop of an America wound up over the possibility of interference in their elections by a perceived adversary, did little to damper emotions or foster equanimity. The fact that the data collected by CA was given voluntarily did little to play down the sense that it had been used to benefit a conniving Russian government.

Is the collection of data unlawful?

Data protection laws differ between jurisdictions and depend largely on the definition given to what constitutes “personal data” and the prescribed boundaries for permissible usage of such data. In Malaysia, there is no legislation conferring a right to individual privacy. However, under the Personal Data Protection Act 2010 (PDPA), personal data is protected if it is data that is processed in respect of a commercial transaction that relates to a data subject and allows the data user to identify the data subject. Therefore, not all data collected is protected.

It also follows that the form of information or data gathering used by CA would not have been a violation of Malaysian laws as it does not constitute “personal data” by definition. One would assume that if the data was harvested through an App subscribed to on Facebook, it would not have been processed “in respect of a commercial transaction” but as a social activity and therefore would not have fulfilled one of the key criteria to be personal data. We also know now, that the App commissioned by CA was to encourage Facebook users to participate in a survey and the terms of usage expressly made known to the users that their data and those of their friends would be collected, thus meeting the requirement of consent under the PDPA. However, what may have fallen foul of the PDPA could have been its use by CA for a purpose that was not disclosed at the time the data was collected or one that was not directly related to it. Therefore, if Facebook users were not told that the data collected through the App would be passed on to third parties to develop strategies, that could not reasonable be gleaned from the purpose of the App, it is arguable that a breach of the PDPA could have occurred. What is also unclear is whether the sale of the data to CA by Aleksandr Kogan after it had been processed could still sufficiently cloak the data with commercial qualities to bring it within the PDPA, as this would require a broad construction of the quirky language used in the PDPA.

Assuming there was a commercial element involved and there was no consent to disclose or use data, aggregated generic datasets collected from the internet and used to reveal patterns, trends, and associations, relating to human behaviour and interactions (commonly known as big data), would arguably not be a breach of the PDPA if the identities of the users cannot be conclusively determined through their IP addresses. There is yet to be a Malaysian authority on whether IP addresses could be deemed personal data but the European experience in this regard is being followed with much interest particularly the opinions expressed in cases such as Germany vs. Patrick Breyer [Case C-582/14] by the German Federal Court of Justice.

Loong Caesar, Angeline Ang and Emily Soon