The Information Commissioner’s Office (ICO) has fined social media empire Facebook £500,000 for its part in the Cambridge Analytica scandal that unfolded earlier this year.

Britain’s information regulator announced in July that it intended to fine Facebook as part of its investigation and has now followed up on that Notice of Intent.

The ICO concluded that Facebook had failed to keep the personal information of its users secure by failing to perform suitable checks on the third-party apps and developers using its platform. Between 2007 and 2014, third-party developers were able to harvest the data of users of their apps, as well as the profile data of their connected Facebook friends.

The data of more than one million British users was subsequently used by political consultancy Cambridge Analytica. The firm used the data of some 87m Facebook users to profile and target voters ahead of key political votes, such as the 2016 United States presidential election.

While Facebook did not directly supply Cambridge Analytica with that data, the ICO has decided to uphold the fine as “even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion”.

Announcing the decision, Information Commissioner Elizabeth Denham said:

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

ICO fines Facebook: A symbolic punishment

The ICO’s fine will be easy for Facebook to brush off, given its sheer size. Despite seeing the Facebook share price hit by the scandal in the summer, the social media giant is still a $420bn company, having since returned to its pre-scandal trading price.

The opinion of many is that the ICO’s decision is a largely symbolic one. Despite failing to punish Facebook financially, this shows the commission’s intent to dish out maximum penalties for serious misuse of customer data.

The £500,000 fine, the maximum penalty that could be given, was served under the Data Protection Act 1998, as the offence occurred before the General Data Protection Act (GDPR) came into effect in May this year.

Under new laws, the ICO is able to fine guilty companies a maximum penalty of €20m or 4% of global annual turnover, whichever amount is greater.

Denham said:

“We consider these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitable have been significantly higher under GDPR.”

Read more: Yahoo security breach settlement of $50m to set important tech precedent