The Cambridge Analytica scandal revealed the dark side of the big data economy, showing how personal data was misused to manipulate voters in the US election. The story is told in the documentary The Great Hack, which sheds light on how Cambridge Analytica (CA) exploited personal Facebook data for micro-targeting. This scandal was ultimately exposed through a subject access request (DSAR) — one of the key rights under the General Data Protection Regulation (GDPR).
The documentary focuses on three individuals directly affected by the scandal: whistleblower Britney Kaiser, journalist Carol Cadwalladr, and David Carroll, a professor who sued CA after they mishandled his subject access request. But how exactly did a single DSAR uncover the vast misuse of personal data? And what does The Great Hack reveal about the importance of data protection?
A Dark World of Data
As former Cambridge Analytica CEO Alexander Nix notes in the documentary, this issue is “not just about one company.” The film expands the conversation, illustrating how the collection and manipulation of data have become central to the modern business model. It highlights the extensive surveillance and control that tech companies exert over our lives. This practice extends far beyond Facebook and CA, involving an entire ecosystem of data brokers, advertisers, tech companies, and even academics.
The film also delves into how companies like Google and Facebook dominate the online world by controlling key gateways such as Google Search, Chrome, YouTube, Instagram, and WhatsApp. These platforms track and monetize our lives, shaping our behavior and decisions. Using advanced machine learning and analytics, they create detailed profiles of individuals and target them based on psychological vulnerabilities, such as feelings of insecurity or worthlessness. While Facebook’s profiling practices have largely escaped scrutiny, The Great Hack reveals how these techniques were used to manipulate emotions and influence political decisions.
But the turning point came when Cambridge Analytica was finally exposed. So, how did a subject access request play a crucial role in bringing the truth to light?
The Power of the Subject Access Request
Professor David Carroll, who had been concerned about data privacy for some time, became focused on Cambridge Analytica after the election of Donald Trump. Following advice from data protection expert Paul-Olivier Dehaye, Carroll submitted a subject access request to Cambridge Analytica in January 2017. The response he received from the company was inadequate, so he shared it on Twitter, which sparked a wave of attention.
British data protection experts and academics quickly noticed that the response violated data protection laws. Carroll then filed complaints with the Information Commissioner’s Office (ICO) and pursued a legal claim in the High Court. On March 16, 2018, Cambridge Analytica was served with a legal claim, and Facebook suspended the company. The press soon caught wind of the story, and the scandal went global.
As Carroll points out, if Cambridge Analytica had not exported voter data to the UK, where data rights are robustly supported by the ICO, there would have been no way to pursue a DSAR. Without the ability to exercise data rights, they could have legally ignored the request.
Back to Business as Usual?
Despite the lessons learned from the Cambridge Analytica scandal, it seems that little has changed. Just two weeks ago, US regulators approved a $5 billion settlement against Facebook over the breach. However, this penalty seems small compared to Facebook’s annual $22 billion profit, and it appears that the company is resuming business as usual. Facebook has made some improvements to its privacy protections, but many argue that these changes don’t address the root causes of the problem. Even more concerning is the launch of Facebook’s cryptocurrency, Libra, which could provide the company with even greater control over our personal data by tracking and analyzing millions of users’ financial transactions.
Data Rights in the Spotlight
On a more positive note, The Great Hack effectively highlights why regulations like the GDPR and data rights are critical in today’s digital world. The documentary brings much-needed attention to the importance of data protection, and we hope it helps elevate data rights into mainstream conversations. As more people become aware of the risks associated with the exploitation of personal data, it is crucial that we continue to advocate for stronger protections and accountability from companies that handle our most sensitive information.