Following Donald Trump’s shock victory in the 2016 US election, Russian interference has become a major focus. Special counsel Robert Mueller has already indicted 13 Russian nationals and three Russian entities for allegedly meddling in the election. Now the attention has turned to whether Cambridge Analytica, the data firm already under scrutiny for its role in harvesting millions of Facebook profiles without users’ express consent, may also have violated US election law.
Non-partisan government watchdog Common Cause recently filed two complaints with the US Department of Justice and the US Federal Election Commission (FEC) arguing that Cambridge Analytica and affiliate company SCL violated the prohibition on foreign employees participating in election-related activities. Trevor Potter, former commissioner and chairman of the FEC, and counsel to several Republican presidential campaigns, says such involvement would be against the law. ‘There is a flat prohibition under US law of foreigners, which is to say non-citizens, non-permanent residents of the US, spending money in US elections,’ says Potter. ‘There is evidence that foreigners did in fact engage in US election activity. Some of it is through social media, such as Facebook and the advertising, and the other appears to have been through foreign entities being engaged by US political actors to help them run US campaigns.’
When it was first alleged the firm had misused millions of users’ data, companies like Facebook were suddenly put in the firing line, causing many to question whether greater regulation is necessary in the face of growing concerns over data privacy. Cambridge Analytica has since released a statement saying it ‘licensed data for no more than 30 million people’ and that Global Science Research, the company it retained to collect data from Facebook profiles, ‘did not share the content of any private messages with us.’
Testifying in two recent Congressional hearings about the data privacy scandal, Facebook CEO Mark Zuckerberg admitted the company had ‘made mistakes, there's more to do, and we need to step up and do it.’ He said Facebook would have 20,000 people focused on security and content review by the end of 2018, but shied away from supporting regulation in absolute terms.
On 2 May Cambridge Analytica announced it had begun insolvency proceedings in the UK, saying it had been left with ‘no realistic alternative to placing the Company into administration.’ The company had been under close scrutiny in the UK after reports emerged that it, alongside Canadian data firm AggregateIQ (AIQ), were retained by the Vote Leave campaign in the run-up to the Brexit referendum. This threw into question whether it violated the UK’s strict rules on election campaign spending limits. Prior to commencing insolvency proceedings Cambridge Analytica had rejected the allegations and said it had only ‘subcontracted some digital marketing and software development to AIQ’ on behalf of ‘clients completely unrelated to Leave.EU.’
Both scenarios highlight the extent to which electoral law, both in the UK and further afield, is in desperate need of an overhaul. ‘It seems to me that the Cambridge Analytica problem is that the law cannot keep up with it,’ says Dr Bob Watt, an expert in UK electoral law and a visiting fellow at the Bonavero Institute of Human Rights at Mansfield College, Oxford.
Watt says he has some sympathy with the data firm, which describes itself as politically neutral, and says the revelations show electoral law needs to get up to speed with digital media and companies that harvest, mine and process data. ‘They are data miners and handlers – that’s what they do,’ he says. ‘They don’t mind who they sell it to. They are interested in gathering this information and what use is made of it is the responsibility of political campaigns, political parties, or candidates. That’s what the law says, that is, the Representation of the People Act. Now the point is, my comments on the way that the law is stuck in the 19th Century – that was dealing with paper leaflets and papers. But we’ve moved on since then. The law needs to deal with digital media and it needs to require political parties to put an imprint on it and to properly declare it in their expenses. That isn’t there at the moment in my reading of the law.’
Many have queried whether an electoral breach in either jurisdiction would have had the power to quash the result. Tony Travers, a professor at the London School of Economics & Political Science, thinks it’s unlikely the referendum result would have been contested. ‘As the referendum itself was not legally binding – it was the politicians that chose to be bound by it – I’m not even sure what a legal challenge would achieve really and nobody sounds like they’re going to mount a legal challenge to the veracity of the result,’ he says.
“The problem is that electoral law in this country cannot deal with the activities of data harvesting, data mining and data processing companies
Dr Bob Watt
Visiting fellow, Bonavero Institute of Human Rights, Mansfield College, Oxford
Likewise Potter, who is president of the DC-based Campaign Legal Center, doesn’t see a re-election on the cards in the US: ‘I don’t think that anyone in our system thinks that anything we would find would nullify the previous election – that’s not possible under our Constitution,’ he says. ‘I think our interest is in making certain that it does not happen again and we have important [midterm] elections this year, so time is of the essence for requiring this sort of disclosure.’
Martin Schirmbacher, a partner at Härting Rechtsanwälte and Co-Chair of the IBA Technology Law Committee, says the European General Data Protection Regulation (GDPR), which comes into force on 25 May, will help regulate the activities of platforms like Facebook. ‘Before calling for new laws regulating social networks and their data handling authorities, courts should apply and enforce the newly enacted GDPR,’ he says. ‘When interfering with elections is seen to be a problem, then this should be targeted instead of Facebook’s data collection. The GDPR will also massively affect American companies doing business in Europe.’
However, Potter believes more US legislation is needed to ensure companies don’t risk making a similar mistake. ‘[Facebook has] stated that in the future it will be their policy to require such disclaimers which would enable people to detect the foreign spending,’ he says. ‘The fact that they’re doing it voluntarily is not enough. There are lots of other internet entities out there that may not do it voluntarily and I think it was a true failure by the FEC not to have required such disclosure some time ago. I think legislation would be helpful because the company voluntarily doing it means it can always change its policy and cease doing it, and again, just because one company is doing it, doesn’t mean that its competitors will. Legislation puts everyone on a level playing field.