The UK’s privacy watchdog has fined Facebook £500,000 for “serious breaches” of data protection law concerning the Cambridge Analytica scandal.
It is the maximum fine the Information Commissioner’s Office could have issued under the Data Protection Act 1998. Under GDPR, the US tech giant could have been fined up to four per cent of its annual global turnover.
In July, the regulator signalled its intention to fine Facebook as part of its investigation into digital political advertising. Today (25 October), it said that “after considering representations from the company”, it had decided the amount would “remain unchanged”.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data,” the Information Commissioner, Elizabeth Denham, said in a statement. “A company of its size and expertise should have known better and it should have done better.”
Earlier this year, it emerged that an academic at the University of Cambridge had built a personality app in 2013 to mine 87 million people’s data, largely without their knowledge, before allegedly sharing the data with Cambridge Analytica.
The ICO confirmed on Thursday that at least one million UK users’ personal information was among the harvested data, although whether this data was passed on to Cambridge Analytica remains a matter of contention.
In a statement, Facebook said it was grateful to the ICO for confirming “they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica”. While this is strictly true, the ICO’s penalty notice was less clear cut.
“Facebook has asserted that the only individuals whose personal data was used in this way were US residents,” it states. “On the basis of the information currently available to the Commissioner it is not possible to determine whether this assertion is correct.”
The notice continues: “Even if Facebook’s assertion is correct, […] some US residents would also, from time to time, have been UK users […] e.g. if they used the Facebook site while visiting the UK.
“By reason of the matters set out above, the personal data of UK Users who were UK residents was put at serious risk of being shared and used in connection with or for the purposes of political campaigning (even if that risk did not eventuate).”
Facebook said: “We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
“We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica. Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”
Denham is expected to provide an update on the ICO’s digital political advertising investigation on 6 November.