Facebook has been fined £500,000 by the Information Commissioner’s Office in the wake of the Cambridge Analytica scandal, after allowing third party developers to access to users’ information without sufficient consent.
The ICO announcement on Thursday upholds its initial decision in July. The fine, which represents a drop in the ocean for a company that brought in $13.2bn (£10.2bn) in global revenue in the last financial quarter, was the maximum available to the regulator under old data protection legislation.
The ICO found that the personal information of at least 1 million UK users was among harvested data and was consequently put at risk of further misuse.
|The ICO announcement on Thursday upholds its initial decision from July. Photograph: Marcio Jose Sanchez/AP
The investigation found that Facebook failed to keep the personal information of its users secure by failing to make suitable checks on apps and developers using its platform. These failings meant one developer, Aleksandr Kogan, and his company, GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.The Guardian
A subset of the data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica, which was involved in political campaigning in the US.
“Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion,” said the ICO report. “In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”
If the breaches had taken place under tnew GDPR legislation then the information commissioner would be able to fine Facebook a maximum of either £17m or 4% of global turnover, whichever is the higher amount.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data,” said the information commissioner, Elizabeth Denham.
“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.