Facebook Slapped With Maximum Fine Following Cambridge Analytica Data Scandal 12.07.2018 David Shirt, Press Officer | 0161 838 3094 Facebook lost millions of users along with the trust of the public following the revelations in March 2018 embroiling Facebook and Cambridge Analytica in a data harvesting scandal. Despite the Information Commissioner’s Office (“ICO”) concluding this week that Facebook contravened the law, Facebook can count itself lucky that it will receive a slap on the wrist in the form of a £500,000 fine due to the timing of their breach. Investigation into misuse of personal data The ICO began an investigation in May 2017 into the misuse of personal data in political campaigns with a particular concern surrounding the EU referendum. The investigation’s focus quickly shifted to Facebook and Cambridge Analytica when evidence emerged that an app had been used to harvest what is now estimated to have been 87 million Facebook users’ details during the 2016 US presidential campaign. The ICO’s investigation has concluded that “Facebook has failed to provide the kind of protections they are required to under the Data Protection Act”; Facebook contravened the law by failing to safeguard people’s information and also failed to be transparent about how data was harvested by others. Accordingly, Facebook have received the maximum fine available under the Data Protection Act 1998 of £500,000 (or, in other words, 7 minutes’ worth of Facebook’s average revenue). In comparison to Facebook’s fine from the European Commission in 2017 of £95m for providing incorrect or misleading information during the purchase of WhatsApp, the ICO’s fine is arguably of little concern to Facebook, and campaigners have been unimpressed with their penalty. The ICO’s Report It isn’t just Facebook who have been reprimanded by the ICO; the ICO’s report sets out a number of other regulatory actions following the extensive privacy breaches: • warning letters to 11 political parties alongside notices compelling them to agree to audits of their data protection practices; • enforcement Notice for SCL Elections Ltd to compel it to deal properly with a subject access request from Professor David Carroll; • criminal prosecution for SCL Elections Ltd for failing to deal properly with the ICO’s Enforcement Notice; • enforcement Notice for Aggregate IQ to stop processing UK citizens’ retained data; • notice of Intent to take regulatory action against Emma’s Diary (Lifecycle Marketing (Mother and Baby) Ltd); and • audits of main credit reference companies as well as Cambridge University Psychometric Centre. It is clear from the ICO’s actions that new technologies using data analytics have allowed campaign groups to micro-target individuals, damaging the integrity of democracy around the world and showing disregard for individual’s personal data. Lessons to learn Whilst online data has historically naively been assumed to be protected, the public are increasingly concerned about their privacy and aware of their personal data following a number of high profile hacks, and the General Data Protection Regulation (“GDPR”) has now upped the consequences for companies that fail to implement adequate protections. As the information commissioner Elizabeth Denham stated, “this is not all about fines though…any company is worried about its reputation, because people want to feel that their data is safe.” Facebook’s real punishment in this case was the substantial damage to their reputation following significant media coverage and their CEO being hauled before Congress and the European Parliament; the company have been ‘let off’ with a £500,000 fine as the timings of the breaches resulted in the ICO unable to levy the penalties introduced by the GDPR. If the reputational damage isn’t enough cause for concern, companies should be aware of the significant fines on offer under the GDPR; fines for breaches of data subjects’ rights and freedoms are capped at the higher level of €20m or 4% of global turnover, indicating that Facebook would have received a hefty fine should their scandal have occurred after 25 May 2018. The ICO’s decision to fine Facebook the maximum amount available to it should be taken to demonstrate its firm stance on enforcing data regulations. Don’t be fooled by the amount; the GDPR is implemented and the ICO is ready and waiting to apply its full force. Written by Megan Forbes, from Irwin Mitchell's Regulatory and Criminal Investigations Group. Key contact Craig Weston Barrister +44 (0)750 1229 485 Email Craig Press contact David Shirt Press Officer 0161 838 3094 Email David Related articles 20.03.2019Government Issues Recommendation for Leasehold Reform 15.03.2019Irwin Mitchell Recruits Hundreds Of Volunteers For Red Nose Day 2019 15.03.2019Irwin Mitchell Scoops Hat-trick At Birmingham Law Society Legal Awards 13.03.2019Sheffield City Region Launches Global Innovation Corridor At MIPIM 2019 08.03.2019Irwin Mitchell Launches Women in Law Timeline 05.03.2019Does A Rest Break At Work Have To Be Continuous?