ICO Confirms Facebook Maximum Fine Of £500,000

Information Commissioner confirms maximum possible fine for Facebook over Cambridge Analytica

The Information Commissioners Office (ICO) has confirmed that it has fined Facebook the maximum possible fine over its role in the Cambridge Analytica data sharing scandal.

It comes after the ICO issued its Notice of Intent to fine Facebook in July. Now the ICO has confirmed it “has fined Facebook £500,000 for serious breaches of data protection law.”

Cambridge Analytica was at the centre of a row over the alleged misuse of the personal data on 87 million people, mostly in the US, and such was the scandal that the political consultancy was forced to shut down soon afterwards.

data centre, facebook

Maximum penalty

The ICO investigation began in March this year after the regulator raided the firm’s offices and seized its servers.

And now it has decided to fine Facebook the maximum possible amount under the Data Protection Act 1998, which was in force at the time of the Cambridge Analytica scandal.

“After considering representations from the company, the ICO has issued the fine to Facebook and confirmed that the amount – the maximum allowable under the laws which applied at the time the incidents occurred – will remain unchanged,” said the ICO.

The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.

The ICO also said that Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform.

“These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge,” said the ICO. “A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.

“Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion,” said the ICO. “In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”

Serious violation

The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data,” said Elizabeth Denham, Information Commissioner.

“A company of its size and expertise should have known better and it should have done better,” she added.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation,” said Denham. “The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

Stiffer penalties

The fact that Denham has said that it would have imposed a much higher penalty (if it were legally able) should worry Facebook and other firms handling customer data.

Ever since 2010 the ICO has had the power to levy fines of up to half a million pounds under the Data Protection Act 1998, and it has hit some organisations with extremely stiff penalties over the years, but it has rarely imposed the maximum amount.

While some may regard the £500,000 fine as little more than a slap on the wrist to firms such as Facebook, the new Data Protection Act 2018 (introduced in May) and the General Data Protection Regulation (GDPR) rules introduced in the summer could see the imposition of much stiffer fines.

The GDPR rules means that firms can face fines of 4 percent of global turnover or 20m euros (£18m), whichever is greater, in the case of serious breaches.

How much do you know about privacy? Try our quiz!