Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Resolution on the use of Facebook users' data by Cambridge Analytica and the impact on data protection

2018/2855(RSP)

The European Parliament adopted the resolution on the use of Facebook users’ data by Cambridge Analytica and the impact on data protection.

Facebook, a signatory to the Privacy Shield, confirmed that the personal data of up to 2.7 million EU citizens were among those improperly used by political consultancy Cambridge Analytica.

Parliament stated that Facebook not only breached the trust of EU citizens, but also EU law. The data misuse which was revealed in the context of the Cambridge Analytica scandal happened before the application of the General Data Protection Regulation (GDPR).

Cambridge Analytica claimed the data processing was officially carried out for research purposes, but subsequently passed on the data gathered for political and commercial use.

Figures from the Electoral Commission of the UK showed that the political parties in the United Kingdom spent GBP 3.2 million on direct Facebook advertising during the 2017 general election. Personal data, obtained from Facebook, may have been misused by both sides in the UK referendum on membership of the EU and used to target voters during the 2016 American presidential election process.

Three hearings on the impact of the Facebook/Cambridge Analytica case on issues related to data protection, electoral processes, fake news and the market position of social media were held on 4 and 25 June and 2 July 2018. Noting with regret that Facebook was not willing to send staff members with the appropriate technical qualifications and level of corporate responsibility to the hearings, Parliament pointed out that such an approach is detrimental to the trust European citizens have in social platforms.

Proposed measures to be taken: Member States should introduce an obligatory system of digital imprints for electronic campaigning and advertising and implement the Commission’s Recommendation aimed at enhancing the transparency of paid online political advertisements and communications.

Online platforms are urged to:

  • ensure full compliance with EU data protection law, namely the GDPR and Directive 2002/58/EC (e-Privacy), and to help users understand how their personal information is processed in the targeted advertising model;
  • distinguish political uses of their online advertising products from their commercial uses. In this regard, Parliament recalled that processing personal data for political advertising requires a separate legal basis from the one for commercial advertising. It also stated that profiling for political and electoral purposes and profiling based on online behaviour that may reveal political preferences should be prohibited;
  • label content shared by bots by applying transparent rules, to speed up the removal of fake accounts and work with independent fact-checkers and academia to tackle disinformation;
  • include experts within the sales support team who can provide political parties and campaigns with specific advice on transparency and accountability in relation to how to prevent personal data being used to target users;
  • urgently roll out planned transparency features in relation to political advertising.

The Commission is called on to:

  • upgrade competition rules to reflect the digital reality and to look into the business model of social media platforms and their possible monopoly situation and to take the necessary measures to remedy this;
  • propose amendments to the European Electronic Communications Code that also require over-the-top communications providers to interconnect with others, in order to overcome the lock-in effect for their users;
  • task one of its members, in the future Commission, specifically with the privacy and data protection portfolio in order to ensure that all legislative proposals are fully compliant with the EU legal acquis on privacy and data protection;
  • audit the activities of the advertising industry on social media and propose legislation in the event that the sector and concerned parties are unable to reach agreement on voluntary Codes of Conduct with dissuasive measures.

In addition, data protection authorities at national and European level are called on to undertake a thorough investigation into Facebook and its current practices so that the new consistency mechanism of the GDPR can be relied upon to establish an appropriate and efficient European enforcement response.

The Council is urged to end the deadlock on the e-Privacy Regulation, and to finally reach an agreement with Parliament without lowering the level of protection currently afforded by the e‑Privacy Directive so as to ensure that the rights of citizens, in particular those pertaining to the protection of users against targeting, are protected.

Lastly, Member States should urgently conduct, with the support of Eurojust if necessary, investigations into the alleged misuse of the online political space by foreign powers.