The Information Commissioner’s Office (ICO) has fined social media empire Facebook £500,000 for its part in the Cambridge Analytica scandal that unfolded earlier this year.
Britain’s information regulator announced in July that it intended to fine Facebook as part of its investigation and has now followed up on that Notice of Intent.
The ICO concluded that Facebook had failed to keep the personal information of its users secure by failing to perform suitable checks on the third-party apps and developers using its platform. Between 2007 and 2014, third-party developers were able to harvest the data of users of their apps, as well as the profile data of their connected Facebook friends.
The data of more than one million British users was subsequently used by political consultancy Cambridge Analytica. The firm used the data of some 87m Facebook users to profile and target voters ahead of key political votes, such as the 2016 United States presidential election.
While Facebook did not directly supply Cambridge Analytica with that data, the ICO has decided to uphold the fine as “even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion”.
Announcing the decision, Information Commissioner Elizabeth Denham said:
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
ICO fines Facebook: A symbolic punishment
The ICO’s fine will be easy for Facebook to brush off, given its sheer size. Despite seeing the Facebook share price hit by the scandal in the summer, the social media giant is still a $420bn company, having since returned to its pre-scandal trading price.
The opinion of many is that the ICO’s decision is a largely symbolic one. Despite failing to punish Facebook financially, this shows the commission’s intent to dish out maximum penalties for serious misuse of customer data.
The £500,000 fine, the maximum penalty that could be given, was served under the Data Protection Act 1998, as the offence occurred before the General Data Protection Act (GDPR) came into effect in May this year.
Under new laws, the ICO is able to fine guilty companies a maximum penalty of €20m or 4% of global annual turnover, whichever amount is greater.
“We consider these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitable have been significantly higher under GDPR.”