The UK Information Commissioner’s Office (ICO), the independent regulator for data protection and information rights law, has handed Facebook the maximum fine allowed under the 1998 Data Protection Act (DPA) for its involvement in the Cambridge Analytica scandal.
“The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had,” the ICO notes.
The social network further failed to keep the personal information secure because it didn’t check on apps and developers, which led to one developer harvesting the Facebook data of 87 million people worldwide, including UK citizens, without their knowledge, according to the notice.
“A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US,” the ICO says.
The blunder is punishable under the Data Protection Act (a precursor of the GDPR) which allows a maximum fine of £500,000 for one of the richest companies on the planet. According to one estimate, the figure represents 18 minutes of earnings for Facebook – as close as it gets to the saying, “a drop in the ocean.”
Under the GDPR, which took effect in May, Facebook would have incurred a penalty easily exceeding £1 billion.
Elizabeth Denham, Information Commissioner, said “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data,” she added.
Last month, the ICO issued an identical fine to Equifax, whose lax security practices allowed hackers to access personal and financial data of 146 million customers across the US and Europe.