The claims that Cambridge Analytica used data harvested from millions of Facebook profiles to target voters in the US general election in 2016 raises tough questions for both companies.

In what appeared to be a damage limitation exercise, the social network preempted the stories that appeared in the Observer and the New York Times over the weekend by banning the political strategy company from its platform while it investigated the claims.

‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower Read more

But this goes much deeper than that. Facebook’s 2.2bn active users might well wonder, how safe is their personal data? And is Facebook doing enough to secure it?

And why did Facebook only react on Friday, when it must have known there was a potential problem many months, if not years, ago.

In August 2016, it sent a legal letter to Christopher Wylie, a former Cambridge Analytica employee, asking him to destroy any data he held that had been improperly collected.

Play Video 3:41 What is the Cambridge Analytica scandal? - video explainer

Facebook did not publicly disclose this at the time, and appears to have carried out no further enforcement other than requiring those who wrongly held the data to “self-certify” that they had indeed destroyed it.

It was only last week, four days after the Observer asked Facebook about the improper transfer of data, that the company moved to suspend Cambridge Analytica from its platform.

More troubling still is the apparent lack of any systematic response to ensure the same type of breach does not happen again.

Facebook has strong technical oversight of how and why third parties can access user data on the platform. But what can it do to stop this information being shared?

A company could legitimately collect Facebook data for one purpose before being bought by another firm, which uses the information for entirely different ends. Given the vast scale of the Facebook ecosystem, it seems likely that other firms could have inherited data.

Facebook may also find its users asking uncomfortable questions about the social network’s own use of data. When the company talks to politicians, it makes a big deal out of its ability to accurately profile voters using the information they give to the site.

Facebook can, it tells those seeking election, separate out the users “who are actively engaged with public political content and have a high propensity to re-share content”. It has boasted about how effective its own political advertising wing has been.

Facebook was “integral” to the 2015 presidential election victory of Poland’s Andrzej Duda, the company claimed. It has cited the Scottish National party’s “powerful combination of Facebook’s targeting and engagement tools” as being responsible for its “overwhelming victory” in the 2015 general election.

The language, and the claims, are very similar to those used by entities such as Cambridge Analytica.