Facebook are facing another legal challenge over their failure to protect the personal data of their users. This time it takes the form of a mass legal action launched in the UK by journalist Peter Jukes on behalf of himself and a million UK Facebook users.

The Facebook-Cambridge Analytica scandal revealed in 2018 that a third party app, This is Your Digital Life, had harvested the Facebook data belonging not only to the users of the app, but that of their Facebook friends as well, without either the knowledge or consent of any of the affected individuals. The app was able to do this thanks to the data settings in Facebook which allowed app developers to access the personal data.  Jukes claims that these settings exploited the trust of Facebook users, opening up their personal data to abuse by making their data available to third parties.

The activities of This is Your Digital Life originally came to light as the result of newspaper interviews with an ex-employee of the UK tech firm Cambridge-Analytica, who claimed that the company used data collected by the app. Facebook and Cambridge-Analytica subsequently became the focus of investigations into the use of personal data for the purposes of political advertising both in the UK and the US.  The investigations found that, between 2007 and 2014, Facebook did indeed allow third-party app developers to access personal information without the data subject’s informed consent. As a result Facebook was fined $5 billion by the Federal Trade Commission (FTC) in the US and £500,000 by the Information Commissioner’s Office (ICO) in the UK for data privacy violations.

The mass action claim now being brought against Facebook alleges that they allowed the third-party app, This is Your digital Life, to access the personal information of users and their Facebook friends without their knowledge or consent between November 2013 and May 2015.

Peter Jukes argues that:
“ It is only right that we, as consumers, hold Facebook to account for failing to comply with the law and for putting our personal data at risk, to ensure that this is not allowed to happen again”.

The alleged violations took place before the GDPR and Data Protection Act of 2018 came into force, which meant the maximum fine the ICO could impose was capped at £500,000. However, although the current action seeks damages under the Data Protection act of 1998, the sheer number of people involved in the new claim could result in a far bigger payout for the breach.

At a time when Facebook are taking on Australia over their attempts to force the social media giants to pay for news articles, they may find little sympathy in the UK courts for the potential impact of further large fines on their business.