The Information Commissioner’s Office (“ICO”) has announced that Facebook is to be fined £500,000 for its part in the Cambridge Analytica scandal.
The ICO concluded that Facebook failed to safeguard its users’ information and be transparent about how such data was harvested by others. The Information Commissioner Elizabeth Denham said:
“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act…Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
In the first quarter of 2018, Facebook took £500,000 in revenue every five and a half minutes. The fine is for two breaches of the old Data Protection Act 1998 and this was the maximum fine available under previous legislation. Due to the timing of the breaches, the ICO was unable to levy the penalties introduced by the European General Data Protection (“GDPR”), which caps fines at the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case, $1.9bn (£1.4bn). The fine levied under the pre-GDPR rules means this financial blow to Facebook is very limited compared to what they will face under the GDPR.
The inquiry has also resulted in warning letters being sent to 11 political parties with notices compelling them to agree to data protection audits. The ICO’s report is an interim paper, released to guide a parallel inquiry by the DCMS select committee in the Commons. The full report is due in October 2018.
Other European nations are free to follow up with their own investigations if they decide the company broke rules in their country. Determining such fines and whether they will be levied under previous data protection laws or the GDPR will be a matter for the Information Commissioner of that jurisdiction to determine. Facebook is currently under investigation in the US, at both federal and state levels for violating a consent decree agreed with the Federal Trade Commission in 2011 obligating the company to keep promises about the preservation of privacy, made to users.