- Facebook has been fined £500,000 ($645,000) by the UK’s Information Commissioner’s Office for the Cambridge Analytica data breach.
- It is the maximum possible fine available to the British watchdog, but would have been much higher had Europe’s GDPR rules been in force when the breach took place.
- Information Commissioner Elizabeth Denham said Facebook “should have known better and it should have done better.”
Facebook has been stung with the maximum possible fine by Britain’s privacy watchdog for the Cambridge Analytica scandal.
The UK’s Information Commissioner’s Office (ICO) fined Facebook £500,000 ($645,000), the highest punishment it can dish out for a data breach.
The ICO said in July that it intended to level the maximum fine on Facebook after Cambridge Analytica exploited the data of 87 million users harvested by developer Dr Aleksandr Kogan.
Confirmation of the penalty came on Thursday, with information commissioner Elizabeth Denham saying: “A company of its size and expertise should have known better and it should have done better.”
The fine is, of course, tiny in the context of Facebook’s global revenue of more than $40 billion last year. Denham said the penalty would have been much higher had Europe’s GDPR rules been in force. GDPR allows data watchdogs to fine companies up to 4% of their global turnover, which in Facebook’s case would be $1.6 billion.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR,” she said.
“One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
Facebook can appeal the fine. A spokesman said:
“We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
“We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.
“Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”
The ICO’s 27-page penalty notice can be read here. In summary, the ICO said Facebook failed to protect users by allowing developers access to data without clear and proper consent between 2007 and 2014.
This allowed Kogan and his company GSR to harvest information, which was ultimately weaponized by Cambridge Analytica during the 2016 presidential election in the US.
Even after the breach was discovered in 2015, the ICO said Facebook did not take sufficient action to ensure those who held the data deleted it.