Facebook fined £500,000 for Cambridge Analytica data scandal

The social network receives the maximum penalty under the Data Protection Act 1998

Zuckerberg looking worried

Facebook has been fined 500,000 by the UK's Information Commissioner's Office (ICO) for "serious" breaches of data protection laws involving the improper sharing of data with Cambridge Analytica.

The social network was issued with a Notice of Intent to Fine by the ICO in July, following an investigation into the company's data sharing policies that allowed some 87 million users to have their data harvested by a third-party.

Between 2007 and 2014, the ICO found that Facebook processed its user's data unfairly by allowing app developers access to it without sufficient consent. The scope of Facebook's data harvesting even allowed access to users who had not downloaded the app but were simply friends with people who had.

Despite the company collecting vast amounts of data relating to its users, it failed to make suitable checks on apps and developers using its platform. One such developer, Dr Aleksandar Kogan and his GSR company harvested 87 million peoples data from Facebook without their consent. A significant amount of this data was used by Cambridge Analytica's parent company SCL Group, who was involved in the US election campaigns in 2016.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The ICO's investigation involved a raid on Cambridge Analytica's London offices in March, which resulted in an undisclosed volume of evidence being taken from the property.

The following month Zuckerberg was asked to appear before US Senators to explain Facebook's policies. Despite being one of the most widely reported events of the events of the year, the Facebook founder came away relatively unscathed, with criticisms being directed at Senators for failing to fully understand the nature of the incident.

The ICO said that Facebook did not do enough to hold these developers and companies to account, the SCL Group in particular, which was not suspended from its platform until 2018.

Facebook has now been issued with the maximum penalty allowable under the Data Protection Act 1998, as these offences took place before it was replaced by the GDPR.

Under the European Union's data protection laws, Facebook could have faced a maximum penalty of either 20 million or 4% of its global turn over whichever is higher. In 2017, the company's global turn over was $27.64 billion, according to Facebook's filings, which would've translated to a fine of 960 million.

"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation," said Information Commissioner Elizabeth Denham. "The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data.

Advertisement - Article continues below

"Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based."

Forrester senior analyst Enza Iannopollo told IT Pro that the incident is symptomatic of a lack of direction in the company. 

"This investigation describes in some detail not only how Facebook failed to respect and protect their users' personal data, but it also demonstrates its inability to manage third parties," explains Innopollo. "More importantly, it tells us how Facebook hugely undermined the trust of its users."

"While this investigation is about one company, every business that collects and/or processes personal data must take note and ensure they make no mistakes," she added. "First and foremost, this is about customers' trust and business reputation. Even more than regulations, firms should be scared about their customers leaving them when they breach their data and their trust."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019