Greetings from Brussels!

What a week it has been so far, and of course, the Facebook-Cambridge Analytica intrigue has been front-line news since the story broke last weekend. In case you’ve been out of town on interstellar travel: Data analytics firm Cambridge Analytica, based in the U.K., is alleged to have made use of the personal data of 50 million Facebook users, without their permission, for political profiling and messaging during U.S. President Donald Trump’s electoral campaign in 2016. IAPP Publications Editor Jed Bracy has been reporting extensively on the story since Monday, and if you want a chronological read of how the story has unfolded this week, I recommend reading his summaries that can be found here, here and here.

Both Facebook and Cambridge Analytica deny any wrongdoing or breaking the law, although there is a growing swath of regulators and legislators keen to get to the bottom of what transpired between the two companies. Several different investigations on both sides of the Atlantic are now underway. While some might say that Facebook was slow out of the gates to react publicly, Mark Zuckerberg apologized Wednesday for mistakes the company made in how it handled personal data belonging to 50 million of its users and promised tougher steps to restrict developers’ access to such information. “This was a major breach of trust. I’m really sorry this happened. We have a basic responsibility to protect people’s data,” Zuckerberg said. Importantly, he went to say that Facebook planned to conduct an extensive audit and investigation of thousands of apps that have used Facebook’s platform, restrict developer access to data, and give members a tool that lets them disable access to their Facebook data more easily.

In related news, The Irish Times ran with a story this week bringing into question the current data protection legislation going through the Oireachtas (the legislature of Ireland) that will give effect to the new GDPR, warning that the bill — as it stands — could legalize such data-harvesting activity. The suggestion being that organizations such as Cambridge Analytica could set up shop in Ireland to influence voters and elections anywhere in the world with relative immunity from legal sanction. Data protection consultant Daragh O’Brien, managing director of Castlebridge, said the Data Protection Bill 2018 currently creates “a blanket permission for organizations of any kind harvesting personal data for ‘electoral activities.’”

In more detail, it is alleged that Section 43 of the Irish Bill appears to create an exemption from the GDPR for processing data relating to political opinions. If that were to be the case, Ireland would find itself at odds with the protection afforded such sensitive data under EU law, leaving it exposed to irregular data processing practices for political ends even beyond Irish borders. The Irish Department of Justice reacted with the statement that Section 43 “imposes safeguards on the processing of personal data and does not allow for the sharing of such data.” Moreover, the Justice Department said it was important that Section 43 not be read in isolation, and that Section 33 of the bill provided for a wide range of measures to safeguard individuals’ rights.

In parallel, Irish Data Protection Commissioner Helen Dixon says her office is to probe Facebook’s active oversight mechanisms to monitor how app developers and third parties use the social media site to ensure effective safeguards. A spokesman for the Irish data protection office said this week that rules concerning how data is used on Facebook have been updated since the events surrounding the Cambridge Analytica irregularities that took place in 2014; access to friends’ data was effectively restricted by platform upgrades. The DPC further warned that “the microtargeting of social media users, with political advertisements and sponsored stories, remains an ongoing issue today.” It said that it intends to issue guidance to the public in the absence of laws regulating political targeting of users online.

Plenty more on this to follow no doubt.