Facebook Hit with UK£500k Fine for Pre-GDPR Data Breach

In the United Kingdom last week, the Information Commissioner’s Office (ICO) hit social media platform Facebook with a, relatively, small but symbolic fine in relation to the Cambridge Analytica date protection law breaches which involved millions of users’ data being improperly accessed by the consultancy group.

The penalty applied was UK£500,000, the maximum possible penalty that could have been sanctioned prior to the May 25 introduction date the the European Union’s General Data Protection Regulation legislation. Under the new laws the fine could have up to a maximum of UK£20 million or 4% of annual global revenue, whichever figure is higher.

ICO released a statement that said: “The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others”.  Information Commissioner Elizabeth Denham was highly critical of that disregard that Facebook showed for data protection legislation in not protecting the private information of people and had not been transparent about how data was gathered by other platform users.

During the investigation Facebook Chief Executive Office Mark Zuckerburg face questions as to how the political consultancy managed to be in possession of the personal data of 87 million Facebook users.  Facebook responded to the penalty via an email from Facebook chief privacy officer Erin Egan which read: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”

Damian Collins British MP, the chair of the Digital, Culture, Media and Sport Committee that has been investigating Cambridge Analytica, said: “Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way. This cannot by left to a secret internal investigation at Facebook. If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.

“Facebook users will be rightly concerned that the company left their data far too vulnerable to being collected without their consent by developers working on behalf of companies like Cambridge Analytica. The number of Facebook users affected by this kind of data scraping may be far greater than has currently been acknowledged. Facebook should now make the results of their internal investigations known to the ICO, our committee and other relevant investigatory authorities.”

Facebook also stated that it had previously, in 2015, implemented measures against Cambridge Analytica and said that it is focused on working with U.K. and other countries’ data protection authorities in ongoing investigations around the world.