Firm claims £500,000 fine is unjustified, as it disputes UK regulator fine over data breach
Facebook has launched an appeal against the half a million pound fine by the Information Commissioners Office (ICO), over its role in the Cambridge Analytica data sharing scandal.
The ICO hit Facebook with a notice of intent in July and later confirmed the maximum fine of £500,000 in October. But now the social networking giant has launched an appeal against the ruling believing it is unjustified as British data was not shared with Cambridge Analytica.
Cambridge Analytica was at the centre of a row over the alleged misuse of personal data on 87 million people, mostly in the US, and such as the scandal that the political consultancy was forced to shut down soon afterwards.
The ICO had imposed the maximum penalty possible on Facebook on the basis that UK members had been put at risk. It alleged that Facebook had not done enough to address this after learning of the problem.
The ICO’s investigation found that between 2007 and 2014, Facebook had allegedly processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.
The ICO also alleged that Facebook failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. However the ICO found no evidence that UK citizens data had been compromised.
“These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge,” said the ICO in October. “A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.
“Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion,” said the ICO. “In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”
But Facebook is contending that no British data was put at risk, but it acknowledges that it made mistakes.
The firm launched its appeal on the last day it could legal challenge the ruling.
“The ICO’s investigation stemmed from concerns that UK citizens’ data may have been impacted by Cambridge Analytica, yet they now have confirmed that they have found no evidence to suggest that information of Facebook users in the UK was ever shared by Dr Kogan with Cambridge Analytica, or used by its affiliates in the Brexit referendum,” Facebook’s lawyer Anna Benckert was quoted by the BBC as saying in a statement.
“Therefore, the core of the ICO’s argument no longer relates to the events involving Cambridge Analytica,” Benckert is quoted as saying. “Instead, their reasoning challenges some of the basic principles of how people should be allowed to share information online, with implications which go far beyond just Facebook, which is why we have chosen to appeal.”
“For example, under the ICO’s theory people should not be allowed to forward an email or message without having agreement from each person on the original thread,” she said. “These are things done by millions of people every day on services across the internet, which is why we believe the ICO’s decision raises important questions of principle for everyone online which should be considered by an impartial court based on all the relevant evidence.”
The challenge will now be considered by an independent body, called the General Regulatory Chamber tribunal.
Facebook can also take the case to the Court of Appeal if it is still unhappy with that ruling.
The Information Commissioner had suggested in October that it would have imposed a much higher penalty (if it were legally able) on Facebook.
Ever since 2010 the ICO has had the power to levy fines of up to half a million pounds under the Data Protection Act 1998, and it has hit some organisations with extremely stiff penalties over the years, but it has rarely imposed the maximum amount.
While some may regard the £500,000 fine as little more than a slap on the wrist to firms such as Facebook, the new Data Protection Act 2018 (introduced in May) and the General Data Protection Regulation (GDPR) rules introduced in the summer could see the imposition of much stiffer fines.
The GDPR rules means that firms can face fines of 4 percent of global turnover or 20m euros (£18m), whichever is greater, in the case of serious breaches.
How much do you know about privacy? Try our quiz!