The UK’s data protection regulator intends to issue Facebook with a record £500,000 fine over its handling of the Cambridge Analytica scandal.
The announcement was timed to coincide with the publication of an explosive report today that unveils the initial findings of what the Information Commissioner’s Office describes as the most important investigation in its history.
In the report, which casts a spotlight on digital political advertising, the ICO claims that Facebook failed to safeguard people’s personal information after an academic built a personality app to mine 87 million people’s data largely without their knowledge, before allegedly sharing it with Cambridge Analytica. It also censured the social media giant for failing to disclose how users’ data has been harvested.
In addition to fining Facebook, the ICO has laid out a number of measures it is taking as part of its investigation:
- The regulator is launching a criminal prosecution against SCL Elections, Cambridge Analytica’s parent company, for failing to deal with an enforcement notice mandating it to supply a US academic with details of the data it holds on him.
- Aggregate IQ, a Canadian data firm that worked with Vote Leave on the Brexit campaign, has been issued with an enforcement notice to stop processing retained data belonging to UK citizens that was shared by Vote Leave.
- The ICO is carrying out audits of “the main credit reference companies” and Cambridge University Psychometric Centre, the institute at which the academic Aleksandr Kogan worked while building the personality app.
- It is sending warning letters to 11 political parties compelling them to agree to audits of their data protection practices.
In a call with reporters on Tuesday afternoon, the Information Commissioner Elizabeth Denham said the work amounted to “the most important investigation the ICO has ever undertaken”.
“It’s an important moment for data protection because most of us have an understanding of the behavioural targeting that commercial entities have used for a very long time to sell us holidays, to sell us trainers, to be able to target us around the web,” she said. “But I think very few people had an awareness of how they can be micro-targeted or persuaded or nudged in a democratic campaign, in an election or referendum.”
But Denham said the statement is “in dispute” and that the ICO was continuing to analyse Kogan’s datasets to determine whether European data was shared with Cambridge Analytica.
“At the end of the day though, Facebook’s argument that no European data has been shared between Dr Kogan and Cambridge Analytica doesn’t matter,” she said.
“What matters is Facebook’s responsibility in terms of the platform. We know that 87m profiles around the world were collected through just 320,000 actual users of the app. Users from around the world across all continents were involved in that.”
The £500,000 fine is the maximum the ICO can issue under the Data Protection Act 1998, which governed breaches before the EU’s General Data Protection Regulation came into effect on 25 May. Denham refused to speculate on how high the fine may have been if GDPR had come into effect, but said: “This sends a clear signal that I can consider this to be a significant issue especially when you look at the scale and the impact of this kind of data breach.”
Facebook now has a chance to respond to the ICO’s “Notice of Intent” before a final decision is made. Erin Egan, the company’s chief privacy officer, said in a statement: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015.
“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”
Detailed findings of the next stage of the ICO’s investigation are expected to be published in October.