top of page

The Cambridge Analytica Data Scandal- A Legal Analysis


The Facebook-Cambridge Analytica scandal was mainly concerned with collecting and obtaining the data of millions of Facebook users without receiving the consent of the Facebook users. Cambridge Analytica is a British political consulting firm, headquartered in London, United Kingdom and the parent organization of the firm is the SCL Group. The firm had become well known after the data scandal. In the Facebook-Cambridge Analytica scandal there was an obtainment and harvesting of Facebook data of about 87 million people, this data was used in advertising during the political campaigns and elections. This was also known as the largest leak in the history of Facebook. The political analysis data firm had worked on the presidential campaign alongside Donald Trump in the year 2016. It is said that the firm had enough data on Facebook users to create data points and extensive personality profiles, which resulted in psychographic targeting of advertising. The main issue and question at hand is how did Cambridge Analytica obtain the data of millions of Facebook users and the data of the massive dataset of the American electorate. The firm was also accused of storing and secretly keeping the data of 50 million Facebook users without permission. The data was acquired by the firm through a third party application which was called “This Is Your Digital Life”, which was founded by a researcher at the University of Cambridge, and was downloaded by approximately 300,000 Facebook users. Data was collected of the Facebook users and the friends of these users. Questions on the election laws and data privacy have arisen, once this scandal went public.

Introduction to Data Privacy

Data privacy Law is also known as the Information Privacy Law and is one of the most important areas of law today. Data privacy is a branch of data security that is concerned with the proper handling of data which includes various factors such as consent, notice and the regulatory obligations. The practical data concerns usually revolve around whether data is shared with a single or multiple third parties, how the data is shared is also a concern. How the data is collected legally or stored is also a practical data concern. Another practical concern is the various regulatory restrictions in different countries. Most of the regulations have given a precise definition as to what data privacy is, and it is left to various business industries and businesses to determine and consider as the best practice for their own respective industry.

In the legislation, the term “reasonable” is often referred to; this may differ amongst various laws, along with the various respective fines. Companies that work with sensitive data which is personal to the users, and companies must consider the legal parameters and these companies must make sure that the data practices which are practiced by the company are well outlined in the legislation, so no laws are broken or sensitive data is breached. Data privacy is extremely important within businesses for the following reasons. Firstly for the reason of Business asset management, data is one of the important assets that a business can own. Today, the data economy in the world is extremely pre-dominant, where we can see that companies find an essential and enormous value in collecting, sharing and using data of users and customers, especially from social media applications such as Facebook, Instagram, Snapchat, Twitter and others. The transparency regarding how businesses and large scale industries request the collection and the permission to store personal data, and more importantly manage that data, is extremely essential to build the trust between the customers and the business since customers consider data privacy as a human right. Secondly, data privacy is important to ensure regulatory compliance, this means that a business may have the responsibility to meet certain legal responsibilities with regards to how the business stores, collects and processes the data collected.

Non-compliance may result in a huge fine to the business and may face consequences such as lost revenue or lost consumer trust. Data privacy to individuals is important because in order for individuals to engage online, they must be able to trust organizations that their personal data is engaged with utmost care.

Data privacy is considered to have different variations in different geographical locations, for instance in the European Union privacy is considered strongly as an absolute fundamental right whereas in some parts of the world data privacy is considered as an element of liberty, and the right to be free from the intrusion by the state. Data sovereignty refers to the digital data that is subjected to the law of the country in which the data is located.

India’s Data Privacy Law

Recently, both the houses of the parliament in India had reportedly granted a fourth extension to the joint parliamentary committee to submit a report on the Personal Data Protection Bill, 2019. The government adoption of the new technology today, is at the peak and the data driven governance is becoming increasingly relevant, especially during the time of the COVID 19 pandemic. While it is true that the government of India is trying to embrace and welcome new technological capabilities, it is accompanied by a huge amount of personal data of Indian citizens which is largely unregulated.

Personal data can include many different sensitive categories of information such as phone numbers, home addresses, religious opinions and beliefs, various political opinions. While some of these categories are included in the Personal Data Protection Bill, they are not regarded as sensitive personal data under the data privacy rules. The data protection law in India has the ability to provide a clear legal basis to an individual’s entitlement; furthermore the data protection law has the ability to enable an effective judicial redress. Providing a clear legal basis, clarifies an individual’s scope of fundamental rights to privacy. This explains what businesses and data fiduciaries that collect individuals personal data, can or cannot do with the data. The absence of a data protection law in India makes it extremely difficult to know what fundamental rights available to the citizens. The absence of a law might result in biased judgements across various parts of the country. Currently the Indian constitution does not allow writ remedies against entirely private organizations or bodies as they do not constitute under the meaning of state under Article 12. This indicates that there is very little recourse that is present under the Indian law, in every situation where a private body or organization violates an individual’s or a citizen’s right to privacy.

Role of Cambridge Analytica in the US Elections

The elections in the United States in the year 2016, had heavily relied on advertisement targeting, and Cambridge Analytica was involved in the political campaign. The advertisement targeting for the campaign, may have utilized the Facebook data provided by Cambridge Analytica which may have been obtained illegally. Detailed psychological profiles of every American voter were created, which was done with the purpose of campaigns being able to tailor their pitches from person to person. The personal psychological profiles were created by collecting voter records, and online activity of the users.

Using the data of the users, personality models for voters were created. Cambridge Analytica had worked with researchers to create a survey that had collected the personality of the users. This was survey was rolled out to hundreds of thousands of people across the United States. In the survey, questions such as personality traits and behavioural traits were present. The survey had also scored people on other typical personality traits such as whether or not the user is extroverted, agreeable or how open is the user. A researcher who was affiliated with the University of Cambridge, known as Aleksandr Kogan had developed this application for the company that had required users to sign in with their Facebook accounts. It is reported that the British political analysis firm has collected a lot of personal information about the Facebook users, by breaking a lot of rules of Facebook. At the time, when the application was created, Facebook had allowed the application to store data and information on all the users who used the application, and also more importantly, information and data about the friends of the Facebook users. The data had included important and sensitive details such as the education, location, of the users. It had also included sensitive details such as the relationship status of the user, and where the user worked. The likes and groups the users were in were also tracked. Aleksandr Kogan who was the developer of this application, was allowed to collect this data strictly and purely for academic purposes only, and this information was not allowed to be passed on to third parties. Instead of using the data collected for research, which was promised, the data was passed along to a third party- which was the British political consulting firm, Cambridge Analytica. Facebook had found out about this and had suspended Aleksandr Kogan and Cambridge Analytica from the platform.

Was there a threat to the data privacy of the citizens?

Cambridge Analytica had represented that all the data that was obtained by them was collected legally and all the operations were conducted in accordance with the necessary permits, licenses and consent to carry out the operations. When the data was collected of Facebook users the aim was to quantify the personality by scoring individual users on five key personality traits which included openness, conscientiousness, extraversion, agreeableness, neuroticism, which refers to the Big 5 or OCEAN personality model. Each person’s score on each attribute was determined by examining the Facebook page likes of each user and creating predictive models of personality based on page likes. The company had used a regression model to predict personality. A regression model is described as obtaining data on an individual, and uses that data to predict something we do not know about the individual. Depending on the personality of the user there were different advertisements that were shown on the same issue in hopes of convincing different users of the same message. Christopher Wylie, who is a Canadian data consultant, worked previously at Cambridge Analytica, believes that this crosses a line, and is no longer persuasion but rather, manipulation. He claimed that the company operated in an “ethical grey area” and “attempted to manipulate voters by latching onto their vulnerabilities.” While the Facebook advertisements run by the firm Cambridge Analytica may not have had that much of an impact on the 2016 US election, this is just the beginning in the field of micro-targeted advertising through social media. With approximately 2.5 billion monthly active users on Facebook, and 1.5 billion daily active users, Facebook is a tool unlike no other and has the ability to influence the mind set and choices of users. The individuals had not given the consent to the firm to store their data, and more importantly many individuals did not know that their data was being collected. Users were manipulated on the basis of advertisements received that were personally catered to them using the personality models. There is a clear threat to the data privacy of the citizens, since data was used and stored without the consent.

Role of Cambridge Analytica in Brexit

Brexit refers to the withdrawal of the United Kingdom from the European Union and the European Atomic Energy Community. It is said that the firm Cambridge Analytica did work for the Leave EU campaign. The potential targeting of U.K. voters on social media ahead of the Brexit vote is part of a wider push by political groups across the Western world and beyond to use digital political campaigning to target people with increasingly sophisticated messages. It comes as lawmakers and policymakers are calling for greater oversight over how these groups use the likes of Facebook, Twitter and Google amid concerns that there is a lack of control over how these digital political campaigns operate.


Many election laws and the data privacy of the citizens can be questioned. It is extremely important for organizations to make sure that sensitive information of the users is not passed on to a third party or stored without their consent. This scandal also brings a question with regards to a threat on the democracy. If users are manipulated by using personality models, the democracy of the nation as a whole is affected and so are the political campaigns.

Srivalli V Kondapalli,

NALSAR University of Law, Hyderabad






1,404 views0 comments

Recent Posts

See All

I. BACKGROUND The advancement of internet trend has caused a shift in the business sector. Many business organisations have migrated to the internet realm of marketing and commerce, inc

Introduction Black’s law dictionary defines Double Jeopardy as: – A second prosecution after a first trial for the same offense. In India, protection against double jeopardy could be an elementary rig

bottom of page