ICO fines Facebook £500,000

Written by Peter Walker

The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law.

In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide-ranging investigation into the use of data analytics for political purposes.

After considering representations from the company, it has issued the maximum fine allowable under the Data Protection Act 1998, which applied at the time the incidents occurred.

This was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation (GDPR), which provide a range of new enforcement tools for the ICO, including maximum fines of £17 million or 4 per cent of global turnover.

The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.

Facebook also failed to keep the personal information secure, because it failed to make suitable checks on apps and developers using its platform, stated the ICO. These failings meant one developer, Aleksandr Kogan, and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.

A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica, which was involved in political campaigning in the US and UK.

Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion, noted the ICO. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.

The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

Information commissioner Elizabeth Denham commented: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data – a company of its size and expertise should have known better and it should have done better.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation – the fine would inevitably have been significantly higher under the GDPR.”

Denham added that there are still bigger questions to be asked, and broader conversations to be had, “about how technology and democracy interact and whether the legal, ethical and regulatory frameworks in place are adequate to protect the principles on which our society is based”.

Denham said a further update on the ICO investigation into data analytics for political purposes will occur on 6 November, as she gives evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee.