Facebook fined maximum possible in UK over Cambridge Analytica affair

Facebook will barely notice the fine, but the PR fallout continues.
30 October 2018

A video grab from footage broadcast by the UK Parliament’s Parliamentary Recording Unit (PRU) shows Cambridge Analytica’s former CEO Alexander Nix as he gives evidence to the Parliament’s Digital, Culture, Media and Sport (DCMS) committee at the Houses of Parliament in London on June 6, 2018. (Photo by HO / various sources / AFP)

Facebook has been hit by a fine of GBP500,000 (US$638,000), the maximum amount permissible under the UK law by the Information Commissioner’s Office (ICO).

The ICO is an independent authority that was set up by the UK government to uphold the information rights of the British public and encourage data privacy & openness on the part of commercial bodies in the country.

Although the fine is unlikely to make much of a dent in Facebook’s accounts, the ICO’s statement lays out in a few concise paragraphs the extent of the data breach, which took place over a number of years. The fine imposed by the ICO is the maximum applicable at the time the offenses took place.

Between 2007 and 2014, Aleksandr Kogan and his company GSR removed personal data of up to 87 million people worldwide without their consent. Some of this data was later shared with other organizations, including SCL Group, the parent company of Cambridge Analytica — the company which has become most associated with the incident.

The data was scraped not only from people who had downloaded and were an app described as a research aid (wherein users specifically consented to share data), but also any users who were “friends” with them.

The misuse of data was discovered in December 2015, but Facebook did not suspend the SCL Group’s access to its database until 2018. The ICO found that the personal information of at least 1 million UK users was harvested and placed at risk. Elizabeth Denham, Information Commissioner, said:

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

The fine was levied under the UK Data Protection Act 1998, which has since been replaced by the Data Protection Act 2018, which effectively implements the EU’s GDPR.

Cambridge Analytica was known to have been involved in political campaigning in the US, and its alleged misuse of data will be presented to the Select Committee for the Department for Digital, Culture, Media, and Sport on 6 Nov, in an open, public session.

Ms. Denham added:

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”

Facebook’s global membership reached 2.23 billion monthly active users in Q3 2018.