show image

Facebook settles ICO fine over Cambridge Analytica scandal

Facebook has agreed to pay a £500,000 fine issued by the UK’s data protection watchdog in light of the Cambridge Analytica scandal.

The settlement, in which Facebook agreed to withdraw its appeal but did not make an admission of liability, brings to a close a year-long legal battle that threatened to embarrass both organisations.

The Information Commissioner’s Office levied the fine against Facebook in October last year, after it emerged that an academic at the University of Cambridge had devised a personality quiz to scrape information from tens of millions profiles, which belonged to players and their friends, before passing on the data to Cambridge Analytica.

The political consultancy firm, which entered administration after the revelations became public, obtained data on around 30 million of the 87 million users whose information was harvested. It then analysed the data to develop “psychographic” profiles of different kinds of voters to support digital political advertising in the US, where it worked on Donald Trump’s presidential campaign.

But Facebook had appealed the fine on the grounds that while one million British users’ data was harvested by Kogan, the Information Commissioner’s Office had not found evidence that any EU data had been shared with Cambridge Analytica.

The ICO, meanwhile, contended that British users’ data had been put at “serious risk of harm” and that Facebook had failed to act quickly enough to crack down on the issue.

In June, the tribunal tasked with handling Facebook’s appeal ruled that it should consider the company’s claim that the ICO’s verdict had been biased, a decision the ICO in turn appealed last month.

Under the terms of the settlement, both organisations have dropped their appeals and Facebook has agreed to pay the fine, which goes to the Treasury, but it has “made no admission of liability in relation to the [monetary penalty notice]”, according to the ICO. The ICO and Facebook will pay for their own legal costs as is standard procedure in these cases.

James Dipple-Johnstone, the deputy commissioner, said the watchdog “welcomes the agreement reached with Facebook for the withdrawal of their appeal against our Monetary Penalty Notice and agreement to pay the fine”.

He added: “The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy.

“We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case.”

Facebook’s director and associate general counsel, Harry Kinmonth, said the company was pleased to have reached a settlement: “As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015. We made major changes to our platform back then, significantly restricting the information which app developers could access.”

He added: “Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information.”

The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr Kogan. However, we look forward to continuing to cooperate with the ICO’s wider and ongoing investigation into the use of data analytics for political purposes.”

Aleksander Kogan, the academic who passed on data to Cambridge Analytica, has since launched a defamation suit against Facebook for alleging that he had lied about what he would do with the data. He claims that the terms and conditions of his app made clear that the information would not be used solely for academic purposes. Facebook had changed its privacy policy in 2014 to prevent app developers from hoovering up data on users’ friends, but it provided a 12-month grace period in which Kogan was able to harvest the data.

The £500,000 fine is the highest the ICO could issue under the data protection legislation which was in force at the time of the incident. Facebook has since been fined $5bn (£3.8bn) by the US Federal Trade Commission following its own investigation into the scandal.