Can you sue Facebook if your data was used in the Cambridge Analytica breach? A lawyer weighs in

Today saw the latest twist in the ongoing Facebook-Cambridge Analytica saga as the social media giant started to inform its users who exactly has had their personal info compromised.

Facebook has now begun directly notify any users whose data may have been shared with Cambridge Analytica, according to USA Today.

The notification will come in the form of a message on your newsfeed – though this is simply the beginning of the process, with more messages likely to follow. Meaning: just because you haven’t received a message yet doesn’t mean you’re definitely unaffected – it’s worth keeping an eye on your feed all week.

The vast majority of the 87m users affected are in the United States, though there are reportedly more than a million UK users set to receive the message.

And while the company has already announced some changes to its privacy settings, what happens if you’re still not satisfied? We spoke to solicitor Jean-Marc Pettigrew – a specialist in IT Law – from Waterfront Solicitors to find out what legal action you could take if it turns out you were affected.

What action is available to people who find out they’ve been affected? Basically, can we sue them?

“It would first have to be established that Facebook are in fact in breach of the relevant laws. In relation to breach of the Data Protection Act, if an individual suffers damage, they may be entitled to claim some form of compensation. ‘Damage’ could be in the form of a financial loss and/or showing that the individual has suffered some form of distress. To claim compensation, the individual would need to be ready to prove the level of damage claimed to have been suffered and it would be for the courts to decide whether that level of compensation is appropriate.

“There is also the potential of collective action claims, which are on the rise here in the UK (often referred to as the ‘class action suits’ we often hear about in the US). This is the concept of a number of individuals combining their claims to bring an action against a common defendant. Previous examples include actions against the supermarket chain Morrisons and Google. If Facebook is found to have been in breach, one wonders whether it will be next in line.”

How much, theoretically, could people get from any legal action?

“How long is a piece of string? Whereas financial loss is more obvious, quantifying the level of distress an individual has suffered is much more difficult. Damages awarded vary greatly. On the lower end, damages of £650 were awarded for a mishandling of data case that affected a person’s credit rating. On the other end of the scale, we have Sadie Frost being awarded £260k for the distress caused as part of the Mirror Group’s phone hacking scandal.”

Has anything like this happened before? Are there any other previous examples of legal cases similar to the Facebook breach?

“The Information Commissioner’s Office, the independent body set up to uphold information rights here in the UK mentioned last May that it was conducting assessments of data protection risks arising from the use of data analytics, including for political purposes. Last week it confirmed it was investigating 30 organisations, including Facebook, as part of the investigation on use of personal data by political campaigns.

“In addition to the individual cases mentioned above, the ICO regularly hands out penalty fines for data protection infringements. At the moment, fines are limited to an amount of £500,000, although these are set to increase significantly when new legislation comes into force on 25 May. The Carphone Warehouse was recently fined £400,000 after it was found it had serious failures within its organisation that placed customer and employee data at risk.”

Facebook have been contacted for comment.

Read more: It’s not just Facebook – here’s what data your other favourite apps are tracking

(Images: Getty)