Facebook lost millions of users, along with the trust of the public, following the revelations in March 2018 embroiling them and Cambridge Analytica in a data harvesting scandal.
Despite the Information Commissioner’s Office (ICO) recently concluding that Facebook contravened the law, Facebook can count itself lucky that it will receive a slap on the wrist in the form of a £500,000 fine due to the timing of their breach.
Investigation into misuse of personal data
The ICO began an investigation in May 2017 into the misuse of personal data in political campaigns, with a particular concern surrounding the EU referendum. The investigation’s focus quickly shifted to Facebook and Cambridge Analytica when evidence emerged that an app had been used to harvest what is now estimated to have been 87 million Facebook users’ details during the 2016 US presidential campaign.
The ICO’s investigation has concluded that “Facebook has failed to provide the kind of protections they are required to under the Data Protection Act.” Facebook had contravened the law by failing to safeguard people’s information and also failed to be transparent about how data was harvested by others. Accordingly, Facebook have received the maximum fine available under the Data Protection Act 1998 of £500,000 (or, in other words, seven minutes’ worth of Facebook’s average revenue).
In comparison to Facebook’s fine from the European Commission in 2017 of £95m for providing incorrect or misleading information during the purchase of WhatsApp, the ICO’s fine is arguably of little concern to Facebook. Campaigners have been unimpressed with this penalty.
The ICO’s Report
It’s not just Facebook who have been reprimanded by the ICO – the ICO’s report sets out a number of other regulatory actions following the extensive privacy breaches:
Warning letters to 11 political parties, alongside notices compelling them to agree to audits of their data protection practices
Enforcement Notice for SCL Elections Ltd to compel them to deal properly with a subject access request from Professor David Carroll
Criminal prosecution for SCL Elections Ltd for failing to deal properly with the ICO’s Enforcement Notice
Enforcement Notice for Aggregate IQ to stop processing UK citizens’ retained data
Notice of Intent to take regulatory action against Emma’s Diary (Lifecycle Marketing (Mother and Baby) Ltd)
Audits of main credit reference companies, as well as Cambridge University Psychometric Centre.
It’s clear from the ICO’s actions that new technologies using data analytics have allowed campaign groups to micro-target individuals, damaging the integrity of democracy around the world and showing disregard for individual’s personal data.
Lessons to learn
Whilst online data has historically naively been assumed to be protected, the public are increasingly concerned about their privacy and aware of their personal data following a number of high-profile hacks. The General Data Protection Regulation (GDPR) has now upped the consequences for companies that fail to implement adequate protections.
As the information commissioner Elizabeth Denham stated: “This is not all about fines though… any company is worried about its reputation, because people want to feel that their data is safe.” Facebook’s real punishment in this case was the substantial damage to their reputation following significant media coverage and their CEO being hauled before Congress and the European Parliament. The company have been ‘let off’ with a £500,000 fine as the timings of the breaches resulted in the ICO unable to levy the penalties introduced by the GDPR.
If the reputational damage is not enough cause for concern, companies should be aware of the significant fines on offer under the GDPR. Fines for breaches of data subjects’ rights and freedoms are capped at the higher level of €20m or 4% of global turnover. This indicates that Facebook would have received a hefty fine should their scandal have occurred after 25 May 2018.
The ICO’s decision to fine Facebook the maximum amount available to it should be taken to demonstrate its firm stance on enforcing data regulations. Don’t be fooled by the amount – the GDPR is implemented and the ICO is ready and waiting to apply its full force.
Megan Forbes, from Irwin Mitchell's Regulatory and Criminal Investigations Group.
For general enquiries
0370 1500 100
Or we can call you back at a time of your choice
Request a call back
Phone lines are open 24/7, 365 days a year