Facebook fined £500,000 for Cambridge Analytica data scandal

The social network receives the maximum penalty under the Data Protection Act 1998

Zuckerberg looking worried

Facebook has been fined 500,000 by the UK's Information Commissioner's Office (ICO) for "serious" breaches of data protection laws involving the improper sharing of data with Cambridge Analytica.

The social network was issued with a Notice of Intent to Fine by the ICO in July, following an investigation into the company's data sharing policies that allowed some 87 million users to have their data harvested by a third-party.

Between 2007 and 2014, the ICO found that Facebook processed its user's data unfairly by allowing app developers access to it without sufficient consent. The scope of Facebook's data harvesting even allowed access to users who had not downloaded the app but were simply friends with people who had.

Despite the company collecting vast amounts of data relating to its users, it failed to make suitable checks on apps and developers using its platform. One such developer, Dr Aleksandar Kogan and his GSR company harvested 87 million peoples data from Facebook without their consent. A significant amount of this data was used by Cambridge Analytica's parent company SCL Group, who was involved in the US election campaigns in 2016.

Advertisement - Article continues below
Advertisement - Article continues below

The ICO's investigation involved a raid on Cambridge Analytica's London offices in March, which resulted in an undisclosed volume of evidence being taken from the property.

The following month Zuckerberg was asked to appear before US Senators to explain Facebook's policies. Despite being one of the most widely reported events of the events of the year, the Facebook founder came away relatively unscathed, with criticisms being directed at Senators for failing to fully understand the nature of the incident.

The ICO said that Facebook did not do enough to hold these developers and companies to account, the SCL Group in particular, which was not suspended from its platform until 2018.

Facebook has now been issued with the maximum penalty allowable under the Data Protection Act 1998, as these offences took place before it was replaced by the GDPR.

Under the European Union's data protection laws, Facebook could have faced a maximum penalty of either 20 million or 4% of its global turn over whichever is higher. In 2017, the company's global turn over was $27.64 billion, according to Facebook's filings, which would've translated to a fine of 960 million.

"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation," said Information Commissioner Elizabeth Denham. "The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data.

Advertisement - Article continues below

"Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based."

Forrester senior analyst Enza Iannopollo told IT Pro that the incident is symptomatic of a lack of direction in the company. 

"This investigation describes in some detail not only how Facebook failed to respect and protect their users' personal data, but it also demonstrates its inability to manage third parties," explains Innopollo. "More importantly, it tells us how Facebook hugely undermined the trust of its users."

"While this investigation is about one company, every business that collects and/or processes personal data must take note and ensure they make no mistakes," she added. "First and foremost, this is about customers' trust and business reputation. Even more than regulations, firms should be scared about their customers leaving them when they breach their data and their trust."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020