Dive Brief:

• Last week, Facebook said in a statement Cambridge Analytica, a political data analytics firm, received the profile information of millions of its users from Dr. Aleksandr Kogan, a psychology professor who obtained the information properly through a third-party Facebook application he created. 
• Such a data transfer is a violation of Facebook policies, and when it found out about it in 2015 the company told all parties to delete the user information. The social network said it only recently discovered that full erasure did not take place. 
• The scandal adds to a growing list of political and data problems for Facebook. Amid reports of internal disagreements on how the company should publicly disclose nation state manipulation and disinformation on its platform, the company's CISO Alex Stamos is set to leave his position by August, reports The New York Times. 

Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.

— Alex Stamos (@alexstamos) March 19, 2018

Dive Insight:

The scandal — which was not a data breach — ignited global reactions and caused an overnight tumble in tech stocks, with American and European lawmakers already pushing for investigations. But come May, when the EU's GDPR takes effect, will such incidents be deterred by the comprehensive data privacy regulations? Or even penalized? 

The regulation will put in place significant data rights for users, including the right to erasure and access to one's data. It also requires companies controlling or processing data to implement privacy by design and default and to request data processing consent from users in a clear and understandable manner.

Had the Cambridge Analytica scandal broken almost two months later, it may have subjected Facebook to fines of 4% of global turnover for violation of GDPR mandates. 

But regardless of what was poor timing for some, the scandal furthers an important narrative for the world — and the United States especially — over the last two years. 

Facebook has carved out a historical niche. Never has a company held such a breadth and depth of information on billions of people. Fake news and outside manipulation aside, the company has created a vast and open data marketplace that lawmakers don't know what to do with and most modern businesses don't know what to do without. 

But the power that Facebook, Google, Amazon and other companies hold over individuals may change in the coming months and years as GDPR sets up more safety walls within the business-user relationship.