JOHANNESBURG — Pansy Tlakula, the chairperson of South Africa’s newly established Information Regulator, has only been in the job since October last year, but she’s already clearly very busy. SA’s new information regulatory body is intended to bring the country in line with other nations such as Germany when it comes to its data privacy rules and regulations. And it’s great to see this institution already doing its job as Tlakula wrote a letter to Facebook demanding answers over the extent of South Africans impacted by the Cambridge Analytica data breach. The numbers that Facebook has provided below will probably shock you as the company has revised the number of Saffers impacted from 59 777 to just over 96 000. These 96 000 people were breached as a result of just 13 people downloading the Cambridge Analytica quiz app. I’ve posted the relevant segment of this Facebook letter in the post below. You can read the full letter in the embedded PDF link further below. – Gareth van Zyl
By Yvonne Cunnane*
Access to the personal data of Facebook users located in South Africa by third parties
The current information that we have with respect to South African user data is as follows:
- We understand that 13 people in South Africa installed the app throughout its lifetime on the Facebook Platform (i.e., from November 2013 when the app went live to no later than 17 December 2015), which is 0.004% of the app’s total worldwide installs.
- We further understand that 96,121 additional people in South Africa were potentially affected, as friends of people who installed the app that did not install the app themselves.
- This yields a total of 96,134 potentially affected people in South Africa, which is 0.11% of the global number of potentially affected people.
I should also make the following points on the approach that we have taken to identify people affected:
- Location has been used to identify those affected. Location is not an indication of nationality or citizenship and may not, in some cases, indicate actual place of residence.
- These figures do not include people who may have installed the app but then subsequently deleted their Facebook account, as we no longer hold that data.
- These figures also may be over-inclusive. We have not retained data regarding when individual users installed the app. As a result, we have had to include in these figures anyone who installed the app during its lifetime, and anyone who may have been friends on Facebook with any of those people at the time between when the app first became active on the Facebook Platform in November 2013 and when the app’s access to friends’ data was limited in May 2015. They also include users who may have changed their settings to disallow sharing of their data with apps authorized by their friends, due to limited historical information about when or how those settings were updated. We believe this figure may over-count the total number of users whose data was in fact accessed by the app; however, we wanted to be as comprehensive as possible in our analysis.
- These figures may be significantly larger than the actual count of people whose data was shared with Cambridge Analytica by Dr. Kogan. This understanding is consistent with the contract between GSR and SCL Limited that has recently been made public and indicates that Dr. Kogan agreed to transfer data relevant to people in only 11 US states.
- Yvonne Cunnane is Head of Data Protection, Facebook Ireland Limited.