Facebook has been fined 500,000 by the UK's Information Commissioner's Office (ICO) for "serious" breaches of data protection laws involving the improper sharing of data with Cambridge Analytica.
The social network was issued with a Notice of Intent to Fine by the ICO in July, following an investigation into the company's data sharing policies that allowed some 87 million users to have their data harvested by a third-party.
Between 2007 and 2014, the ICO found that Facebook processed its user's data unfairly by allowing app developers access to it without sufficient consent. The scope of Facebook's data harvesting even allowed access to users who had not downloaded the app but were simply friends with people who had.
Despite the company collecting vast amounts of data relating to its users, it failed to make suitable checks on apps and developers using its platform. One such developer, Dr Aleksandar Kogan and his GSR company harvested 87 million peoples data from Facebook without their consent. A significant amount of this data was used by Cambridge Analytica's parent company SCL Group, who was involved in the US election campaigns in 2016.
The ICO's investigation involved a raid on Cambridge Analytica's London offices in March, which resulted in an undisclosed volume of evidence being taken from the property.
The following month Zuckerberg was asked to appear before US Senators to explain Facebook's policies. Despite being one of the most widely reported events of the events of the year, the Facebook founder came away relatively unscathed, with criticisms being directed at Senators for failing to fully understand the nature of the incident.
The ICO said that Facebook did not do enough to hold these developers and companies to account, the SCL Group in particular, which was not suspended from its platform until 2018.
Facebook has now been issued with the maximum penalty allowable under the Data Protection Act 1998, as these offences took place before it was replaced by the GDPR.
Under the European Union's data protection laws, Facebook could have faced a maximum penalty of either 20 million or 4% of its global turn over whichever is higher. In 2017, the company's global turn over was $27.64 billion, according to Facebook's filings, which would've translated to a fine of 960 million.
"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation," said Information Commissioner Elizabeth Denham. "The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data.
"Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based."
Forrester senior analyst Enza Iannopollo told IT Pro that the incident is symptomatic of a lack of direction in the company.
"This investigation describes in some detail not only how Facebook failed to respect and protect their users' personal data, but it also demonstrates its inability to manage third parties," explains Innopollo. "More importantly, it tells us how Facebook hugely undermined the trust of its users."
"While this investigation is about one company, every business that collects and/or processes personal data must take note and ensure they make no mistakes," she added. "First and foremost, this is about customers' trust and business reputation. Even more than regulations, firms should be scared about their customers leaving them when they breach their data and their trust."
