Facebook have been hit with a £500,000 fine, for its involvement in the Cambridge Analytica scandal. The fine is for two breaches of the Data Protection Act and is the maximum amount possible given by the UK’s GDPR watchdog.
The Information Commissioner’s Office confirmed that Facebook failed to safeguard its user’s information, and that it also failed to be open about how the data was manipulated by other groups.
It is reported in the first quarter of 2018, Facebook made £500,000 in revenue every five and a half minutes.
The £500,000 cap was set by the Data Protection Act 1998, however, the penalties introduced by the European General Data Protection Regulation (GDPR) caps fines at the higher level of £17 million (€20 million) or 4% of global turnover. For Facebook this would have been £1.4 billion (€1.9 billion). Due to the timing of the breaches, the ICO announced that they were unable to levy a penalty to Facebook of this size.
Elizabeth Denham, the information commissioner stated “Facebook has failed to provide the kind of protections they are required to under the Data Protection Act”.
“Fined and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system” added Denham.
“This was a very serious contravention, so in the new regime they would face a much higher fine”. Denham also described the incident as “the most important investigation that the ICO has ever undertaken”.
Erin Egan, Facebook’s chief privacy Officer, commented: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon”.
The investigation has led to warning letters being sent to 11 political parties and notices compelling them to agree to data protection audits.
Meanwhile, Cambridge Anayltica’s parent company, SCL Elections, has been criminally prosecuted for failing to properly deal with the ICO’s enforcement notice as well as not responding to a Subject Access Request frozen whose data it held. SCL Elections was declared bankrupt in May of this year. This was two months after the Observer reported 50 million Facebook profiles had been obtained. The ICO are reported to have examined whether the company’s directors could still be pursued now that SCL Elections has gone bust.
The investigation uncovered that another company had significant links to Cambridge Analytica. Elizabeth Denham believes Aggregate IQ, a Canadian electoral services company, ‘may still retain’ the data on UK voters. As a result, an enforcement notice was filed against the company by the ICO to prevent the data from being processed.
If you need any support or guidance in data breaches and GDPR, please contact a member of the HPC team:
T: 0844 800 5932