Cambridge Analytica and the University of Cambridge

In his recent testimony before the U.S. Congress, Facebook CEO Marc Zuckerberg intimated that the University of Cambridge carried some blame for the Cambridge Analytica blunder. As he told New York congressman Eliot Engel (D): “So we need to understand whether there is something bad going on at the University of Cambridge overall that will require a stronger action from us.” Certainly not a legal accusation, but still an attempt at casting moral aspersions on this revered British institution of higher learning.

If you are unfamiliar with the Cambridge Analytica story, you can learn more about it from The Guardian’s “What is the Cambridge Analytica Scandal” video here:

In March, data analyst Christopher Wylie revealed how millions of American Facebook users had their data analyzed for political campaign purposes. British-based Cambridge Analytica had gained access to the data through a psychological test app (“thisismydigitallife”) developed by Dr. Aleksandr Kogan and his company Global Science Research. Dr. Kogan not only harvested the data of the individuals who took the test as promoted on Facebook but also all the profile data of their ‘friends’ from the social network platform. The data were analyzed to influence the November presidential election, and in its aftermath questions have been raised regarding the potential negative impact such targeted processing may have on the democratic process, with strong calls for legal regulation on both sides of the Atlantic Ocean.

The still unfolding Cambridge Analytica story is complicated, and this blog post does not attempt to give a full picture. Instead, I aim to suggest some possible legal implications for the University of Cambridge and flag some of the potential pitfalls for a U.S. higher education institution. Should a higher education institution find itself in similar circumstances, especially after the General Data Protection Regulation (GDPR) comes into effect next month, this blog may provide some insight into the legal ramifications.

According to Facebook, the social network platform allowed Dr. Kogan to access data for academic research purposes in connection with his work at the Psycometric Centre of the University of Cambridge. Indeed, as the British newspaper The Guardian has revealed, Facebook has released data to the Centre for such purposes since 2007. And from a legal perspective, there is nothing wrong in that as academic research purposes are exempted from the stringent restrictions on data processing under European data protection law. However, commercial processing is not exempt and using a commercial app to harvest data to sell to an analytics company was certainly beyond a sole academic purview. As such, it should be emphasised that neither Cambridge Analytica nor Global Science Research has a formal (or any) relationship with the University of Cambridge.

I want to point out further that the European data protection law does not allow the parties to contract out of their legal obligations. Thus, it is irrelevant what terms and conditions the users of Facebook may have accepted; their rights as data subjects would not be affected under the Data Protection Directive (“DPD”). Of course, these rules do not apply to American citizens’ relationships with an American firm. Once their personal data is transferred into Europe, it falls under European jurisdiction. Facebook may not have broken American (or European) law, but Global Science Research and Dr. Kogan most likely did once the data were sent to its presumably British server.

Facebook claims Dr. Kogan told the social media giant that the data would only be used for academic purposes. Dr. Kogan says this is not the case and that Facebook was informed of the commercial purpose of the data analytics, but that he had been assured by his client, Cambridge Analytica, that it was all within the law. Dr. Kogan also maintains that his employer, the University of Cambridge, was never involved. This is hard to phantom for those of us with close knowledge of the University and the geography of Cambridge. It is difficult to see how he would manage, in his position, to erect and maintain an effective firewall between his commercial activities and the infrastructure of the University. For one, most academics and students are automatically connected to the University’s server and the global educational roaming access service eduroam. Second, his pleas of legal ignorance are also hard to accept as university colleagues have told me how they have attended legal ethic committee meetings with Dr. Kogan where these very issues were discussed. To me, his professed amnesia lacks credibility.

The question for the University of Cambridge is thus whether it can escape any legal liability by relying on Dr. Kogan’s word. It appears to me unlikely. As a data controller with responsibility for the data stored and processed on its servers, the University is under a legal obligation to comply with European data protection law. Commercial processing of personal data is not banned per se under the DPD or GPDR, but personal data can only be collected and processed for specific, time-limited purposes. The individuals concerned must also be notified how their data is being used, and even how it is being processed. This clearly did not happen in this case. Claiming that an employee or third party offered unverified assurances that processing did not take place seems like a feeble excuse and is unlikely to accepted by the courts.

It is hard to envision that in the future the courts will accept the suggestion that academic researchers are solely responsible for the processing of personal data when the data was obtained through the university or on the back of a university association. It will not suffice for a university to, for example, attempt to ‘outsource’ potential liability to its academic staff through indemnity clauses in their employment or other contracts. In light of the forthcoming GDPR fines of up to four percent of annual turnover and a commitment to enforce European data protection even overseas, the Cambridge Analytica story should serve as a wake-up call to universities across the world. A U.S. higher education institution may be at risk of legal liability for any personal data that is used in research on European servers or including data from European citizens, regardless of where the research was otherwise carried out or published.

Academic research remains exempted under the GDPR, but universities are still expected to implement oversight mechanisms and adopt security measures that will ensure that data is not used for unauthorized commercial purposes. Claiming that any legal breach was done by a ‘rogue’ academic is unlikely to sway the European enforcement agencies or the Federal Trade Commission for that matter.

The University of Cambridge is currently undertaking a full internal investigation. It remains to be seen whether Dr. Kogan’s assurance of a complete separation between the University and his company will be proven to be true. While the UK and world press continue to debate whether or not the data profiling had an impact on the presidential election, and whether any campaign laws have been violated, the UK Information Commissioner’s Office has raided the offices of Cambridge Analytica, and the Federal Trade Commission is considering whether Facebook has committed “unfair acts that cause substantial injury to consumers” in the United States.

It is not clear whether Zuckerberg’s comments were mere verbal sabre rattling or if he intends to start legal proceedings against the university. In any case, as the lines between commercial data processing and academic research continue to blur and attract intense media scrutiny, it is probable that the European law enforcement agencies and courts will pay particular attention to the implementation of the GDPR by educational institutions regardless of national jurisdiction. Academic research is global and to think that a U.S. higher education institution will be able to extract itself from liability in a similar scenario is therefore slim.

As the Cambridge Analytica story continues to dominate the British headlines, it is a golden opportunity for the U.S. educational sector to learn from the travails of its European counterparts and prepare for the GDPR now. Contact The Tambellini Group to inquire about getting access to multiple GDPR resources created specifically for U.S. higher education institutions or for specific help related to GDPR and your institution.

Want to learn more even about Cambridge Analytica? Watch The Guardian interview whistleblower Christopher Wylie:

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Tambellini Group. To express your views in this forum, please contact Katelyn Ilkani, Vice President, Client Services and Cybersecurity Research, The Tambellini Group.