Security standards in digital Europe: it’s up to the user

18 May 2018

The Digital Single Market is founded on security standards that are applied in cyberspace by all individuals and companies. Incidents like the Facebook affair demonstrate how necessary these security measures are. As the Austrian government has decided to punish companies only after repeated violations of data privacy, companies like Facebook should be top priority.

Security standards in Europe

In Europe we have the will to combine all measures for universal cyber protection, to create the conditions for attractive cloud markets through establishing uniform standards, as well as to fuel the innovation systems for cyber security and intelligent transnational cloud solutions with increased cooperation with the sponsors of research and innovation. The major level of compliance of our standards with the ongoing data protection and cyber and information security laws ensures that we have a unique selling point in global benchmarks.

We now just need to convince the weakest link in cyberspace, i.e. the individual user of a wide range of applications, that cyber security is a matter for everyone. If we manage to raise awareness this manner then nothing can stand on the way of the European model of highly functional security standards in the predominant provision of cloud resources.

The case of Facebook

UK data analytics company Cambridge Analytica had access to almost 90 million Facebook accounts without the consent of the relevant Facebook users, and used this data to compile strategic recommendations for 'Vote Leave' in the Brexit Referendum and for Donald Trump in the US presidential election.

It is now clear that there was no breach of the social media giant's data servers. It is important to note that Facebook itself gathers a lot more data on its users than that available in public profiles. And this secret data was protected up until now.

However, Cambridge Analytica took advantage of a business practice in place until 2015, whereby app developers not only had access to the profiles of users who had downloaded their apps, but also to all of their friends' profiles via the 'Friends Permission' feature. Facebook only withdrew this feature in 2015 following increased public criticism.

The facts of the current “Facebook – Cambridge Analytica” case are as follows: Aleksandr Kogan developed a “Test Your Personality” app and advertised it for installation on Amazon’s Mechanical Turk crowdsourcing site. He made use of the consent for 250,000 user profiles for this, and thereby gained access to 50 million profiles via the Facebook feature. Cambridge Analytica paid Kogan to collect the data from 50 million accounts. Although app developers were authorised to evaluate the account data of users and friends under the Facebook practice in place prior to 2015, forwarding this data to third parties was already illegal then.

Out of sight, out of mind

The accusation that can be levelled at Facebook is this: The company never made any major effort to control its developers' handling of this data. The social media platform was no longer concerned with what happened to the data once it left the Facebook servers. And with tens of thousands of developers, it must be assumed that the trade in Facebook data has been a common and lucrative business practice for quite some time.

Yet if there had been a recognised independent authority that prohibits such practices then incidents on the scale of the current Facebook scandal would have remained unthinkable! The case clearly shows the advantages of the European value system with a strict and rigid data protection regime, such as the one that we have established with the GDPR. Ultimately, however, unauthorised access to personal user data no longer just involves a breach of individual rights of protection, and in many cases also involves subverting the democratic process, as shown by the data processed by Cambridge Analytica for various political flows and players. Comprehensive, competent and reliable data protection cannot, however, simply be decreed even in the form of a general code of conduct for the use of cyberspace, despite all efforts by the policymakers responsible.

Austria: keeping things in proportion

The consensus in Austria is that tighter protection for data privacy is an issue that should be approached with care: The provisions of the General Data Protection Regulation, which regulate the protection of personal data, come into effect on 25 May 2018. The Austrian Data Protection Authority will only intervene in cases in which companies have repeatedly violated the rules set out in the Regulation. This is meant to protect SMEs – the backbone of the domestic economy – and allow time for the processes and procedures related to data privacy and the punishment of its violation to become more well established.

This approach has decades of tradition in the Austrian government, and there is nothing wrong with that. But we mustn’t lose sight of a certain sense of proportion: I consider this initially lenient approach for small and medium-sized enterprises to be very welcome. However, in some cases I call vehemently for a swift approach: when there are unfair practices of large, universally known repeat offenders – such as Facebook.