Personal data protection Ninja Paul-Olivier Dehaye on how WhatsApp is used to improve Facebook's profiling


In an exclusive interview with YourStoryPaul-Olivier Dehaye of talks about privacy laws and the relevance of data protection issues following the Cambridge Analytica revelation.

It is said if a company is not selling you anything, then you are the product. Perhaps, it is okay if they are selling you soap, but what happens when democracy is pedalled?

The recent revelation that Cambridge Analytica, a UK-based data mining firm, harvested more than 50 million Facebook profiles (without their permission) for Trump's election to the US presidency shows how data can be used to scuttle the democratic process, giving bloodless coup a whole new meaning altogether.

Paul-Olivier Dehaye

Even before this turned out to be the big news of the year so far, Paul-Olivier Dehaye, Co-founder of, a startup “promoting trust in the digital world,” had been tracking Cambridge Analytica last year and has come out with a dossier on them and their parent company SCL Group.

Referring to some of the lingering questions, he notes that, “Who will control the campaign data going forward? Trump's campaign, Cambridge Analytica, the organisation promoting Trump's movement, the Trump administration? Who will control analytics data collected by the Trump administration’s social media accounts etc? How effective as a tool of investigation can Subject Access Requests be?”

Even as the Indian government issued a notice to Cambridge Analytica demanding to know whether it has similarly tried to influence elections here by misusing data to profile Indians, the threat to democracy anywhere in the world becomes even more real considering social media giants like Facebook have a huge presence globally. 

In such a context, how can individuals protect themselves from manipulation? Paul’s startup helps people exercise greater control over their digital identity. “We help companies drive progressive data protections and privacy agendas, beyond just compliance. We help journalists increase awareness on relevant data protection issues. We advise regulators on how to address those issues,” is how introduces itself.

A PhD in Mathematics from Stanford, Paul’s bio says that he has always been “curious about new technologies, both in the physical and digital world. I like to learn and think about algorithms and the web, and how these will affect science, business, and society. When possible and realistic, I try to contribute towards this future.” His area of interest includes MOOCs, big data, open practices (software, data, science, journalism, government, intelligence), crowdsourcing, semantic technologies, 3D printing, Blockchain technology (Bitcoin/Ethereum).

In an exclusive email interview with YourStory, Paul-Olivier Dehaye, a data protection Ninja if you will, talks about privacy laws and the relevance of data protection issues.

YourStory: You have been at the forefront for a long time in this battle to protect personal data from internet giants? What led to the starting of

Paul-Olivier Dehaye: The need for individuals to have an easy way to exercise their data protection rights.

YS: What have you learnt about people and their relationship to their personal data?
P-O D: That this relationship is highly contextual and highly personal. Also that change will not come from the most extreme of activists, because they put too high requirements on their tools.

YS: What is your opinion about the new European data protection law, General Data Protection Regulation (GDPR)? What are the key ingredients of a sound data protection law that gives citizens of that country total control over their own data?

P-O D: I think the law is pretty good, but the main question will be enforcement. The key ingredient in this data protection law is traceability of your personal data. In theory, you should be able to know a lot of how your data travels, and how it is being processed. In practice, it is, in fact, very difficult.

YS: What happens to someone’s data on Facebook once they have deleted their account?

P-O D: Some of it, particularly almost all the user-submitted content, gets deleted. But the logs remain. Facebook has two types of databases of user content. One collects user-generated content, such as status updates and photos. The other is for log data - a record of what a user does, such as when they log in, click on a Facebook group or post a comment.

YS: India is big on WhatsApp, which belongs to Facebook. What are your insights on how it is using personal data?

P-O D: WhatsApp is end-to-end encrypted, meaning the content of your messages is not readable to them.

However, all the metadata (frequency of your chats and with whom) is visible to WhatsApp and is used to improve Facebook's profiling.

Recently the authorities in Europe have been more forceful in forbidding this.

YS: And what about Google? Hasn't it been eavesdropping on us and laughing all the way to the bank for years? Do you think it is any different from Facebook?

P-O D: It is, in the sense that Google has very little data relating to multiple individuals. Facebook does often, and this complicates its compliance with a law like GDPR. Another difference is that Google has a lot of tools doing the tracking, used by others. In that sense, it is much more exposed to reverse engineering than Facebooks' which is very closed.

YS: How can individuals in India access their data from apps like Twitter, Instagram, Facebook, Tinder, Uber and so on?

P-O D: You don't have the right to access this data unless the app is established in a country where that's the law. Interestingly, for Twitter and Facebook, for instance, Indian citizens would contract with the non-US company office. So that would be in Ireland, and hence you would have the right of access. In practice though, this is implemented through some setting (very hard to find), and even then, only shows parts of your data. In theory, you could ask them for all of it, but that is very difficult to make work.


Updates from around the world