This past weekend, revelations surfaced about the misuse and mishandling of app data on Facebook. What supposedly started as a personality test for academic research back in 2014, for which 270,000 people opted in, ended up being a massive scrape of raw data pertaining to them and all their friends. More than 50 million people were profiled. On top of that, the data was reportedly used to help Donald Trump’s presidential campaign.

Not quite a data breach, as Lorenzo Franceschi-Bicchierai from Motherboard points out, the issue stems more from a culmination of Facebook’s terms of service and its API. After collecting the massive data cache, Aleksandr Kogan, the creator of the app, passed the data to Cambridge Analytica, the advertising data firm whose account is now suspended by Facebook.

Franceschi-Bicchierai reports, “Only around 270,000 out of the 50 million people who got their data harvested reportedly signed up for the app. The others probably had no idea this app even existed. And since Facebook changes its privacy settings so frequently, we also don’t know if the people who agreed to use the app fully understood what kind of data they were giving up. And no one at the time knew the data would later be handed out to a shadowy data analytics firm hired by the Trump campaign.”

The data in question was collected in 2014, during a time when Facebook allowed third-party apps’ broader access to user information–not just those who consented, but also their friends.  Given that policy, Kogan was within bounds in the extensive data collection. However, he had claimed that he would only use the information for academic research. Handing it off to Cambridge Analytica was a policy violation.

The Mercury News reports that, Christopher Wylie, a former Cambridge Analytica worker, told NBC’s “Today Show” that the firm “sought to ‘explore mental vulnerabilities of people’ by ‘creating a web of disinformation online so people start going down the rabbit hole of clicking on blogs, websites etc., that make them think things are happening that may not be.’”

The story raises major concerns over privacy and how personal data is used–just as the clock counts down the remaining time until GDPR, the EU data privacy law, goes into effect May 25. “This data collection was par for the course. In other words, it was a feature, not a bug. And while the process that Kogan exploited is no longer allowed, Facebook still collects—and then sells—massive amounts of data on its users,” writes Franceschi-Bicchierai.

Get the full story at Motherboard.