Facebook fined £500,000 in relation to Cambridge Analytica data scandal

In August we considered the ICO’s investigation into the use of data analytics in political campaigns. The ICO has now confirmed a penalty notice against Facebook imposing a £500,000 fine.  This is the maximum fine that the ICO can impose in this situation under the previous Data Protection Act 1998, given that the incident took place before the GDPR (and the Data Protection Act 2018) came into force.

What happened?

In 2014, a personality quiz app on Facebook’s website was used to gather the personal data of up to 87 million individuals.  The app not only collected the personal data of those doing the quiz, but also the public data of their friends on Facebook.   Some of this data was disclosed to Cambridge Analytica and it was subsequently used by them in relation to political advertising in the United States.

This was discovered by Facebook in December 2015.  However the ICO were of the opinion that Facebook did not take sufficient measures to ensure that third parties who possessed the personal data had taken suitable remedial action, such as requiring third parties to delete such data. Earlier this year, the ICO informed Facebook that it was intending to impose a fine of £500,000.

The data protection issues

The first and seventh data protection principles were deemed to have been breached by Facebook.

The first data protection principle pertains to fair and lawful processing.  Facebook breached this principle as they did not process the personal data of Facebook users fairly.  Facebook allowed the app to gather the personal data of the friends of those using the app, without notifying those individuals that their data was being harvested or asking them to supply consent.  Facebook took no action to prevent this.

The seventh data protection principle requires organisations to take “appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.”  The ICO held that this principle had been breached, given Facebook’s failure to implement systems to keep personal data secure.

Comment on the decision

Confirming the £500,000 fine, the ICO have stated the following:

“Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.”

The ICO also criticised Facebook’s inability to keep the personal data stored secure – Facebook did not carry out appropriate checks on third party apps and developers that used Facebook APIs.

Elizabeth Denham, the Information Commissioner, has stated that “a company of its (Facebook’s) size and expertise should have known better and it should have done better.”

Facebook has indicated that it is currently considering the ICO’s decision and has stated that whilst it disagrees with a number of the ICO’s findings, it acknowledges that it ought to have been more pro-active in 2015 when it became aware of the personal data being disclosed to other third parties for alternative purposes.

Practical significance

The issuing of the maximum fine in this case is highly significant. Elizabeth Denham has commented that, had the GDPR been applicable, the fine imposed would have been considerably higher. Given Facebook’s current global revenue (over $40 billion last year), a fine of only £500,000 seems rather insignificant.  However, in light of the fact that GDPR permits a fine of up to 4% of global turnover to be imposed, it would have been possible for a much higher fine to be imposed, had this incident occurred after 25 May 2018.

Elizabeth Denham has commented that one of the ICO’s “main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”  The fact that it is now possible for the ICO to impose much higher fines may assist in the realisation of the ICO’s aim.

This article was co-written by Charlotte Fleming.

Latest updates from @MacRoberts

  • MacRoberts is recruiting! We currently have a vacancy for a Senior solicitor/associate to join our Private Client… https://t.co/nTGY8Irf5S 10 hours ago
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/giTipHUGgd 23/06/2021
  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… https://t.co/atxn5NHzLj 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… https://t.co/IXsvMkBnYa 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… https://t.co/VbDAGhzAqX 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… https://t.co/nx3WmygTTM 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/tqSQy4tRqG 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… https://t.co/SIt6iBNYPx 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… https://t.co/P4d0oPh54U 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… https://t.co/c8nMQEo6uk 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… https://t.co/leiseQnxYe 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… https://t.co/OJ85qOwAhN 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… https://t.co/YWbpcD0eFD 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… https://t.co/Gy1dLbrwPk 09/06/2021