Back in July the Information Commissioner's Office threatened Facebook with the "maximum penalty" over the Cambridge Analytica data-sharing scandal. That is a measly £500,000, because the breach had occurred before the far stricter GDPR rules came into effect. Now the ICO has announced that those weren't empty threats, and Facebook will have to fork over half a million pounds.
The ICO has announced it will be making good on that threat, even if £500,000 is nothing to a company that earned £31.5 billion last year. Sadly this miserable amount is thanks to the breach happening under the watch of old data protection legislation, which has since been replaced by the EU-mandated GDPR. Had the breach, which saw a million UK users' data harvested, happened under the new rules, Facebook could have faced a fine of up to four per cent of its global turnover - which amounts to roughly £1.2 billion.
The ICO's investigation found that Facebook failed to maintain suitable checks on developers to ensure user data was being kept secure. Because of this Aleksandr Kogan was able to harvest the data of 87 million users, even though only around 300,000 people installed his personality-testing app. That data was then shared with other organisations, with some of it being used by Cambridge Analytica to run targeted adverts during the 2016 US presidential election.
Despite the fact there was no evidence UK user data was shared with Cambridge Analytics, the lack of checks meant UK data was “put at serious risk” of being used in political campaigning. information commissioner Elizabeth Denham said:
"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better."
"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.
Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”
Facebook has the right to appeal the decision, but whether it will has yet to be seen. It did, however, release a statement regarding the ruling:
“We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”
Now we just need to wait and see how investigations into the latest data breach turn out. Those did happen under the GDPR, after all. But in the meantime you can amuse yourself by reading the full penalty notice for this data breach. [ICO via The Guardian]