The Information Commissioner’s Office has finally issued Facebook with the maximum £500,000 fine for serious breaches of data protection law, having issued the company with a “notice of intent” back in July as part of its wide ranging investigation into the use of data analytics for political purposes.
The regulator came in for criticism from some data protection legal experts over the “notice of intent”, with claims that Facebook had not had the chance to defend itself.
But, having considered representations from the company, the ICO has now issued the fine to Facebook and confirmed that the amount – the maximum allowable under the laws which applied at the time the incidents occurred – will remain unchanged.
The company becomes only the second business to receive the maximum penalty. Last month, Equifax was hit with a £500,000 fine for failing to protect the personal information of up to 15 million British citizens during the now infamous cyber attack in 2017.
The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.
Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.
Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.
The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.
Information Commissioner Elizabeth Denham said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s GDPR. These provide a range of new enforcement tools for the ICO, including maximum fines of £17m or 4% of global turnover.
Denham added: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.
“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”
Equifax first to be hit with maximum £500k data fine
Major UK data firms under scrutiny as watchdog bites
Denham under fire over ‘unchallenged’ Facebook fine
Emma’s Diary first broker to be fingered in ICO probe
Not us guv…Facebook says no-one in EU was hit by CA
ICO data analytics probe ‘the biggest ever undertaken’
UK firms could face millions of data requests from US
ICO vows to pursue chiefs as Cambridge Analytica folds
Top law firm sets up Facebook UK compensation scheme
Facebook admits over a million Brits hit by data scandal
Cambridge Analytica row ‘lets genie out of the bottle’