Facebook fined £500,000 for Cambridge Analytica data scandal

The social network receives the maximum penalty under the Data Protection Act 1998

Zuckerberg looking worried

Facebook has been fined 500,000 by the UK's Information Commissioner's Office (ICO) for "serious" breaches of data protection laws involving the improper sharing of data with Cambridge Analytica.

The social network was issued with a Notice of Intent to Fine by the ICO in July, following an investigation into the company's data sharing policies that allowed some 87 million users to have their data harvested by a third-party.

Between 2007 and 2014, the ICO found that Facebook processed its user's data unfairly by allowing app developers access to it without sufficient consent. The scope of Facebook's data harvesting even allowed access to users who had not downloaded the app but were simply friends with people who had.

Despite the company collecting vast amounts of data relating to its users, it failed to make suitable checks on apps and developers using its platform. One such developer, Dr Aleksandar Kogan and his GSR company harvested 87 million peoples data from Facebook without their consent. A significant amount of this data was used by Cambridge Analytica's parent company SCL Group, who was involved in the US election campaigns in 2016.

The ICO's investigation involved a raid on Cambridge Analytica's London offices in March, which resulted in an undisclosed volume of evidence being taken from the property.

The following month Zuckerberg was asked to appear before US Senators to explain Facebook's policies. Despite being one of the most widely reported events of the events of the year, the Facebook founder came away relatively unscathed, with criticisms being directed at Senators for failing to fully understand the nature of the incident.

The ICO said that Facebook did not do enough to hold these developers and companies to account, the SCL Group in particular, which was not suspended from its platform until 2018.

Facebook has now been issued with the maximum penalty allowable under the Data Protection Act 1998, as these offences took place before it was replaced by the GDPR.

Under the European Union's data protection laws, Facebook could have faced a maximum penalty of either 20 million or 4% of its global turn over whichever is higher. In 2017, the company's global turn over was $27.64 billion, according to Facebook's filings, which would've translated to a fine of 960 million.

"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation," said Information Commissioner Elizabeth Denham. "The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data.

"Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based."

Forrester senior analyst Enza Iannopollo told IT Pro that the incident is symptomatic of a lack of direction in the company. 

"This investigation describes in some detail not only how Facebook failed to respect and protect their users' personal data, but it also demonstrates its inability to manage third parties," explains Innopollo. "More importantly, it tells us how Facebook hugely undermined the trust of its users."

"While this investigation is about one company, every business that collects and/or processes personal data must take note and ensure they make no mistakes," she added. "First and foremost, this is about customers' trust and business reputation. Even more than regulations, firms should be scared about their customers leaving them when they breach their data and their trust."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021
Performance benchmark: PostgreSQL/ MongoDB
Whitepaper

Performance benchmark: PostgreSQL/ MongoDB

22 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021