It is helpful to think of the housing ads targeted on race, and the change brought about in this area by ProPublica. This was successful because of existing legislation (Fair Housing Act). Facebook can be forced to change its ways depending on the ultimate purpose of the ad.

As explained in one of the very first annotations, for European residents their actual submission to the program takes precedence over the whole Privacy Policy.

This passage mandated by Google (through a contract the website owner has to agree to when getting the javascript code).

Note the structure of the whole thing. They disclose using single-pixel gifs and web beacons, but tell you nothing of what they do with the data they collect there.

Note a nice interplay of EU and US law here. IP address has to be stored in the US, is more weakly covered by data protection laws, is more easily reidentifiable, etc. In short, according to the EU definition, it is personal data. So all the Slack log data of Europeans is personal data.

Note that for European users of Slack seeking to exercise the rights granted to them under Privacy Shield, this Privacy Policy would be secondary to Slack's submission here. In particular, this would be very relevant:

Slack provides online workplace productivity tools and a platform so that our customers can communicate and operate aspects of their businesses. In providing these services, Slack processes data our customers submit to the Services or instruct us to process on their behalves in connection with the services (?Customer Data?). While our customers decide what data to submit, Customer Data typically includes profile information and communications between users or among groups of users (e.g., channels), including message text, files, comments, and links. To the extent that customers? employees? human resources data is included on Slack?s platform, such information is processed by Slack. However, the certification does not cover the human resources data of Slack?s own EU affiliates, which Slack receives pursuant to other data transfer mechanisms.

For instance, after as a MOOC professor I was censored on the Coursera platform, I tried to exercise my rights in front of the arbitration judge empowered by the Safe Harbor agreement (the predecessor to Privacy Shield). The judge eventually dismissed the part of the case where I acted as a professor on the basis that I was then not a customer (the Privacy Shield registration referred to "customer" while the Privacy Policy referred to "user").

Despite helping several of the journalist referenced in this post, I am indeed frustrated at the current reporting on the psychometric testing. Cambridge Analytica's profiling informs individual profiles (reflects beliefs), but their actions are not at individual level (depends on the individual's communities to cause new beliefs). This is the way they have operated for a long time (or even were operating through SCL before the founding of CA). The existence of Facebook provides even more scale and obscurity to do exactly this, and potentially very perverse alignment between "paid influencing" and "earned influencing": it is not just about how a message influences an individual directly but also how the individual might seek to influence their communities, and how Facebook will interpret this intent and the receptivity of the community to that message.

This is a fundamental misunderstanding of:

1. what Cambridge Analytica claims to be doing, what the US military understands ISIS to be doing when recruiting,
2. what the US military understands it should be doing (now) against ISIS recruiting tactics,
3. what Cambridge Analytica's parent company SCL teaches NATO to counter this recruiting,
4. the work SCL does for the UK MoD, among others.

In short, their profiling informs individual profiles, their actions are not at individual level.

This evidence is highly unlikely to surface from Cambridge Analytica, given that they are now under investigation. For scientific evidence at individual level, the best sources are very limited right now, but all point in the same direction. There is Kosinski's research and his joint result with Sandra Matz, not-yet-peer-reviewed work (bottom here). See also this.

Note that such evidence (either way) could surface, and that a way for this has been shown by David Carroll's subject access request (and that of others).

These indications originated after the focus was put on Cambridge Analytica, and came from the Trump campaign itself (Brad Parscale), at a time where Parscale was wrestling for control of the outside group pushing Trump's agenda against Rebekah Mercer. Twelve days or so before the election, at a time where it looked where Trump would lose and where Parscale's focus was against the RNC instead, Parscale gave a very different and unguarded account. He only changed it later when it suited him.

The investigation by the Electoral Commission is not into Cambridge Analytica, but rather into the Leave.EU campaign. Indeed, as far as is understood, Cambridge Analytica is not accused of providing "impermissible services", but rather the Leave.EU campaign is accused of accepting perfectly acceptable consulting services but to have failed to disclose this properly per election financing rules. Given the very recent report by Carole Cadwalladr, it is perfectly conceivable that the investigations of the ICO and the EC will however expand.

The Information Commissioner's Office has not stated the scope of their inquiry. It could be investigating also the processing done by Cambridge Analytica on US citizens' data for the US elections. If Cambridge Analytica's claims of having data on political opinions of 220M Americans are true, this would most likely be a breach of EU data protection laws (not rights).

This particular aspect might make it even more of a dystopia to him (linking to another quote in this piece).