In August we considered the ICO’s investigation into the use of data analytics in political campaigns. The ICO has now confirmed a penalty notice against Facebook imposing a £500,000 fine.  This is the maximum fine that the ICO can impose in this situation under the previous Data Protection Act 1998, given that the incident took place before the GDPR (and the Data Protection Act 2018) came into force.

What happened?

In 2014, a personality quiz app on Facebook’s website was used to gather the personal data of up to 87 million individuals.  The app not only collected the personal data of those doing the quiz, but also the public data of their friends on Facebook.   Some of this data was disclosed to Cambridge Analytica and it was subsequently used by them in relation to political advertising in the United States.

This was discovered by Facebook in December 2015.  However the ICO were of the opinion that Facebook did not take sufficient measures to ensure that third parties who possessed the personal data had taken suitable remedial action, such as requiring third parties to delete such data. Earlier this year, the ICO informed Facebook that it was intending to impose a fine of £500,000.

The data protection issues

The first and seventh data protection principles were deemed to have been breached by Facebook.

The first data protection principle pertains to fair and lawful processing.  Facebook breached this principle as they did not process the personal data of Facebook users fairly.  Facebook allowed the app to gather the personal data of the friends of those using the app, without notifying those individuals that their data was being harvested or asking them to supply consent.  Facebook took no action to prevent this.

The seventh data protection principle requires organisations to take “appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.”  The ICO held that this principle had been breached, given Facebook’s failure to implement systems to keep personal data secure.

Comment on the decision

Confirming the £500,000 fine, the ICO have stated the following:

“Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.”

The ICO also criticised Facebook’s inability to keep the personal data stored secure – Facebook did not carry out appropriate checks on third party apps and developers that used Facebook APIs.

Elizabeth Denham, the Information Commissioner, has stated that “a company of its (Facebook’s) size and expertise should have known better and it should have done better.”

Facebook has indicated that it is currently considering the ICO’s decision and has stated that whilst it disagrees with a number of the ICO’s findings, it acknowledges that it ought to have been more pro-active in 2015 when it became aware of the personal data being disclosed to other third parties for alternative purposes.

Practical significance

The issuing of the maximum fine in this case is highly significant. Elizabeth Denham has commented that, had the GDPR been applicable, the fine imposed would have been considerably higher. Given Facebook’s current global revenue (over $40 billion last year), a fine of only £500,000 seems rather insignificant.  However, in light of the fact that GDPR permits a fine of up to 4% of global turnover to be imposed, it would have been possible for a much higher fine to be imposed, had this incident occurred after 25 May 2018.

Elizabeth Denham has commented that one of the ICO’s “main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”  The fact that it is now possible for the ICO to impose much higher fines may assist in the realisation of the ICO’s aim.