Facebook has been formally fined the maximum penalty of £500,000 by the UK’s data watchdog for failing to protect users’ personal information in the Cambridge Analytica data scandal.
The Information Commissioner’s Office said the breaches of data protection laws in relation to a massive data leak to Cambridge Analytica had been “so serious” that it imposed the maximum fine after its investigation into the use of data analytics for “political purposes”.
The fine confirms plans announced by the ICO in July, when the watchdog said it intended to impose the maximum penalty under the UK’s old privacy laws, but allowed the company time to make representations.
Under the EU’s new General Data Protection Regulation, which came into force in May, the fine would “inevitably have been significantly higher,” Elizabeth Denham, the Information Commissioner, said.
Facebook has been under intense political pressure since the revelation of the massive data leak to Cambridge Analytica in March. Mark Zuckerberg, Facebook’s chief executive and founder, has testified in front of Congress and the EU Parliament, while regulators including the US Federal Trade Commission are probing the company’s privacy practices. But the ICO fine is the first financial punishment imposed in relation to the issue.
The ICO said its investigation had found that, between 2007 and 2014, Facebook had allowed app developers to access users’ personal information unfairly. Data were used “without [users’] sufficiently clear and informed consent,” as well as in instances users had not downloaded Facebook’s app but were “friends” with people who had.
This meant data from up to 87m US voters was able to be harvested and passed to Cambridge Analytica, which was employed by US President Donald Trump’s election campaign.
“Even after the misuse of the data were discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion,” the ICO said.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” Ms Denham said.
The fine falls under the Data Protection Act 1998, old rules that were replaced in May by GDPR. The new regulation gives the ICO new enforcement tools — including maximum fines of £17m, or 4 per cent of global turnover — with which to sanction companies deemed to have broken the data protection law. For Facebook, this could have been up to $1.6bn, based on 2017 sales.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR,” said Ms Denham.