Facebook has been fined £500,000 by the UK’s data protection watchdog over its role in the Cambridge Analytica data scandal.
The Information Commissioner’s Office called the incident a “serious breach of data protection law” and issued Facebook with the maximum fine allowed. The incident took place under old data protection rules; had the new GDPR laws come into effect the fine could have been substantially higher as the ICO is now able to fine companies £17m or 4% of global turnover, whichever is higher.
The ICO informed Facebook it intended to issue a fine back in July as part of a wide-raging investigation into the use of data analytics for political purposes. Despite representations from the company, the ICO went ahead with the decision to issue the maximum fine.
The watchdog says Facebook “failed” to keep personal information secure by not checking on apps and developers using its platform. It adds that Facebook processed personal information “unfairly” by allowing developers to access personal information without clear and informed consent and in cases where users had not downloaded an app but were “simply ‘friends’” with people who had.
Facebook says it is “reviewing” the decision but admits it should have done more.
“While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015,” the company says in a statement.
“We are grateful that the ICO has acknowledged our full co-operation throughout their investigation and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”
The Cambridge Analytica scandal
The Cambridge Analytica scandal relates to the work of researcher Dr Aleksandr Kogan and his company GSR. They used a personality quiz to “harvest” the data of up to 87 million people worldwide, including up to 1 million in the UK, without their knowledge. While only 305,000 people installed the app, it gathered public data on all their friends.
A subset of this data is what was shared with other organisations, including SCL Group, the parent company of Cambridge Analytica.
Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.
Elizabeth Denham, ICO
The ICO says that even after the misuse was discovered, Facebook “did not do enough” to ensure those who continue to hold data took adequate remedial action. It points to the fact that Facebook did not suspend SCL Group from its platform until 2018.
Elizabeth Denham, the Information Commissioner, says: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
She adds: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
While the fine itself will have little impact on Facebook’s revenues, which totalled $40.7bn (£31.5bn) in 2017, it has already seen impacts to its brand and business. User numbers in Europe dropped for the first time in nine years in the second quarter, while a survey of 1,000 consumers conducted for Marketing Week by Toluna found that the breach had prompted 34.4% of those questioned to update their privacy settings and 7.7% to delete their account.
Rachel Aldighieri, managing director of the DMA, points out: “The potential impact of data breaches and privacy concerns like this go far beyond the monetary penalties, the long-term effects on customer trust, share price and public perception of breaking the law could be even more damaging in the long run.”
However, marketers have been relatively quiet on the issue. Only a handful of brands came out publicly to say they had stopped advertising on the social network and revenues at the company continue to grow.
The fine is not the end of the ICO’s investigation into data analytics and political advertising. Denham says the watchdog’s work “is continuing” as it looks to ask bigger questions about how technology and democracy interact and whether the legal, ethical and regulatory frameworks in place are adequate. That investigation will be updated on 6 November, when Denham will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee.