Earlier this month, a whistleblower revealed that data analytics firm Cambridge Analytica harvested Facebook profiles of around 50 million users to build a sophisticated software that could determine voting behaviour and personality traits of citizens.
The whistleblower added that Cambridge Analytica used the software to aid political campaigns and to influence voter behaviour ahead of the Brexit referendum. Yet another report from Ars Technica claimed that Facebook, in fact, itself harvested years' worth of phone call metadata from their Android devices, including "names, phone numbers, and the length of each call made or received".
£12,500 for each UK Facebook user
According to Dr. Maureen Mapp, a law professor at Birmingham Law School, if each one of the 50 million Facebook users in the UK sued Facebook for the distress they went through because of the data breach, Facebook could end up paying £12,500 as damages to each of them.
"There are about 50 million Facebook users whose data was harvested. Assuming each one of them brought a claim for compensation for distress caused by the data breach...each individual may be awarded £12,500 as damages," she said.
"In total, the amount that could be awarded by the courts could amount to £625billion – 50 million multiplied by £12,500," she added. She arrived at these figures based on a 2015 legal case where the court had directed The Mirror to pay £12,500 each as compensation to six individuals who suffered distress after being phone-hacked by the newspaper.
However, David Barda, a lawyer at Slater and Gordon who specialises in data protection cases, said that if Facebook is indeed sued by millions of users in the UK, the realistic compensation amount could be £500 per claimant.
"The amount of compensation will depend on the level of distress suffered, but Facebook could be facing claims of up to £500 per Facebook user if those users were able to demonstrate their distress," he said.
This isn't the first time that Facebook's data protection practices have been questioned. In February, a regional court in Berlin termed the U.S.-based social media giant's use of personal data as illegal after it found that it did not provide adequate information to consumers while obtaining their consent to use their personal data.
According to vzvb, the Federation of German Consumer Organisations and a leading consumer rights group that challenged Facebook's privacy policies in court, the court found certain parts of Facebook's default privacy settings and services in breach of the country's consumer law.
"Facebook hides default settings that are not privacy-friendly in its privacy center and does not provide sufficient information about it when users register. This does not meet the requirement for informed consent," said Heiko Duenkel, litigation policy officer at the vzvb to Reuters.
The consumer rights group added that Facebook gives away a user's location to anyone he or she is chatting with by default as this option is pre-activated in Facebook’s app for smartphones. Facebook also pre-ticked certain boxes in privacy settings that allowed search engines to link to a user's timeline.
Facebook was previously fined €110 million by the European Commission for lying about its plans to share user data with WhatsApp. During the EU's investigation into Facebook's merger with WhatsApp in 2014, the social media giant told the Commission that it would be unable to establish reliable automated matching between Facebook users' accounts and WhatsApp users' accounts.