The UK’s data protection regulator (the ICO) has announced that it intends to impose a fine of £500,0000 on Facebook for its role in the Cambridge Analytica scandal*. With the recent coverage of the GDPR and the increased fines of up to €20 million or 4% of global annual turnover for the most serious breaches, £500k may seem surprisingly low. However, this is the maximum penalty the ICO is able to issue in respect of breaches occurring before 25 May 2018 and would in fact be the highest fine the ICO has ever issued.
The announcement was made as part of the ICO’s progress report into its investigation of the use of data analytics in political campaigns. The investigation was launched in response to allegations that data obtained from Facebook by Cambridge Analytica was misused by both sides in the UK referendum on membership of the EU and to target voters during the 2016 American Presidential election process.
The breaches relate to the Cambridge Analytica app which scraped data from the profiles of the 320,000 US Facebook users who used the app (a personality quiz) and also from those users’ friends’ accounts (an estimated 87 million users worldwide, including 1 million UK users). Facebook was not sufficiently transparent with users concerning the ability of the app to access profile data and, despite being aware of potential breaches of its terms of service, Facebook did not implement adequate security measures to restrict Cambridge Analytica’s collection and use of Facebook data.
This is the strongest indication yet from the ICO that it is prepared to use the full range of its regulatory powers to deal with the most flagrant data breaches. Facebook has certainly got off lightly with a fine of £500k due to the timing of the breach; a GDPR fine could have easily have been in the tens of millions. Social media platforms and political parties and campaigns are clearly high on the ICO’s current agenda, but other global businesses ought to take note too.
Most businesses are unlikely to ever face fines in the region of €20m or higher. However, practices which show a disregard for data laws and the privacy rights of individuals will attract the ICO’s attention and little leniency will be shown. Businesses operating in the EEA must ensure that they provide sufficient information to individuals about the use of their personal data, that they properly safeguard that personal data and, in the event of a data breach, take prompt and effective measures in response.
*Facebook now have an opportunity to respond to the ICO Notice before the penalty is finalised.
Excerpts from this article were first published on LexisPSL on 11/07/2018