Facebook fined £500,000 for Cambridge Analytica data scandal

The social network receives the maximum penalty under the Data Protection Act 1998

Zuckerberg looking worried

Facebook has been fined 500,000 by the UK's Information Commissioner's Office (ICO) for "serious" breaches of data protection laws involving the improper sharing of data with Cambridge Analytica.

The social network was issued with a Notice of Intent to Fine by the ICO in July, following an investigation into the company's data sharing policies that allowed some 87 million users to have their data harvested by a third-party.

Between 2007 and 2014, the ICO found that Facebook processed its user's data unfairly by allowing app developers access to it without sufficient consent. The scope of Facebook's data harvesting even allowed access to users who had not downloaded the app but were simply friends with people who had.

Despite the company collecting vast amounts of data relating to its users, it failed to make suitable checks on apps and developers using its platform. One such developer, Dr Aleksandar Kogan and his GSR company harvested 87 million peoples data from Facebook without their consent. A significant amount of this data was used by Cambridge Analytica's parent company SCL Group, who was involved in the US election campaigns in 2016.

The ICO's investigation involved a raid on Cambridge Analytica's London offices in March, which resulted in an undisclosed volume of evidence being taken from the property.

The following month Zuckerberg was asked to appear before US Senators to explain Facebook's policies. Despite being one of the most widely reported events of the events of the year, the Facebook founder came away relatively unscathed, with criticisms being directed at Senators for failing to fully understand the nature of the incident.

The ICO said that Facebook did not do enough to hold these developers and companies to account, the SCL Group in particular, which was not suspended from its platform until 2018.

Facebook has now been issued with the maximum penalty allowable under the Data Protection Act 1998, as these offences took place before it was replaced by the GDPR.

Under the European Union's data protection laws, Facebook could have faced a maximum penalty of either 20 million or 4% of its global turn over whichever is higher. In 2017, the company's global turn over was $27.64 billion, according to Facebook's filings, which would've translated to a fine of 960 million.

"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation," said Information Commissioner Elizabeth Denham. "The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data.

"Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based."

Forrester senior analyst Enza Iannopollo told IT Pro that the incident is symptomatic of a lack of direction in the company. 

"This investigation describes in some detail not only how Facebook failed to respect and protect their users' personal data, but it also demonstrates its inability to manage third parties," explains Innopollo. "More importantly, it tells us how Facebook hugely undermined the trust of its users."

"While this investigation is about one company, every business that collects and/or processes personal data must take note and ensure they make no mistakes," she added. "First and foremost, this is about customers' trust and business reputation. Even more than regulations, firms should be scared about their customers leaving them when they breach their data and their trust."

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020