Facebook has been hit with a maximum penalty fine of £500,000 for its handling of users’ data in the Cambridge Analytica scandal. The Facebook fine is the culmination of a wider investigation by the Information Commissioners Office (ICO) into the use of data analytics in political campaigns.
The historical nature of the offences means that the social network has avoided a larger maximum penalty of £1.2bn that could have been enforced under the General Data Protection Regulation (GDPR).
In February, Facebook and Cambridge Analytica became the focus of a wider 14-month investigation after it emerged that an app had been used to collect the data of some 87 million Facebook users across the world.
The ICO concluded that Facebook failed to properly safeguard users’ data from use in political campaigns, including the UK referendum to leave the European Union.
Information commissioner Elizabeth Denham said:
“We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.”
She added that her goal is to “restore trust and confidence in our democratic system.”
A final decision will be made once Facebook has responded to the Commissioner’s Notice of Intent.
The ICO has also written to the UK’s 11 main political parties, asking them to have their data protection practices audited. The ICO has called for the Government to introduce a statutory Code of Practice for the use of personal data in political campaigns.
Facebook fine avoids $1.6bn GDPR penalty
Facebook’s fine is the maximum that can be levied under the Data Protection Act 1998. The social network has avoided a much larger fine because the offence took place before GDPR came into force on 25 May.
Under GDPR, an organisation can be fined up to 4% of annual global revenue if it is deemed to have failed to comply with the new law in its handling of customer data.
“Such fines are potentially so large they can significantly affect operating margin, and ultimately share prices of large companies,” said Christopher Littlejohns, EMEA manager at software security company Synopsys.
“Personal data collectors and aggregators are particularly at risk to these issues, due to the scale and value of the data they collect; and consequently should be extremely vigilant and diligent in their custodianship of such data.”
ICO shows its intent with Facebook fine
Head of legal services at ThinkMarble and data protection lawyer Robert Wassall said the fact that the ICO has awarded the maximum fine for the first time reflects how serious the ICO is.
“Recently, the ICO has issued a number of significant fines, for example, £325,000 to the Crown Prosecution Service (CPS) on 17 May and £250,000 to Yahoo! on 12 June,” he said.
“This may reflect a tough stance being adopted by the ICO towards data breaches, especially at large/important organisations. “If so it will be very interesting to see what the ICO does when it can bring enforcement actions for breaches that have taken place since the GDPR came into effect on 25 May 2018.”
In addition to the CPS, other public bodies have become the focus of data privacy after a privacy campaign group accused HMRC of breaching GDPR for recording the voices of taxpayers without their consent.
Recent research found that despite the heavy penalties threatened under GDPR, many companies are still not fully compliant, with many making their terms of consent unclear.