Sunday 23rd September 2018

Facebook “fine”: Lawmakers and regulators demonstrate worrying inability to understand data protection legislation

Information Commissioner Elizabeth Denham and David Lammy MP have both made comments in the last 24 hours about likely action being taken by the UK's data protection authority against Facebook.
Jason Smith
by on 12th July 2018

In a series of announcements and comments about a notice of intent served by the UK’s data protection authority to Facebook, British lawmakers and regulators have demonstrated a worrying lack of understanding about data protection legislation and the specifics of the cases they are commenting on.

Yesterday David Lammy, a British politician, publicly criticized the UK’s Information Commissioner’s Office (ICO) for “lacking teeth” in only “fining” Facebook £500,000 over an incident involving the alleged misuse of 87 million users’ personal data.

He stated on Twitter:

“A £500K fine for recklessly leaking personal data to Cambridge Analytica, which then used it to manipulate the referendum. They will be laughing in Silicon Valley. We need a regulator with teeth”.

However, despite making the regulator a target for his criticism, Lammy is seemingly unaware that the UK’s data protection authority, the Information Commissioner’s Office, is limited by the Data Protection Act 1998 from fining an organization more than £500,000.

As the incident took place in 2015 it falls under the scope of the Data Protection Act 1998, not the Data Protection Act 2018 or the GDPR. The latter would allow the ICO to fine an organization up to 20 million EUR or 4 percent of annual revenue, whichever is higher.

Moreover, the ICO is currently reviewing the data held by Cambridge Analytica and it is investigating both the Remain and Leave campaigns.

As announced by the ICO, a final decision on the course of action to be taken against the social network will be made after it responds to the data protection authority’s notice of intent. In other words, the social network hasn’t yet been fined by the ICO.

Facebook’s revenue in Q1 of 2018 was $11.97 billion. The ICO has found Facebook guilty of two breaches of the Data Protection Act 1998.

Meanwhile, the ICO issued a retraction earlier today over comments made by Information Commissioner Elizabeth Denham on the BBC’s Today programme on 11th July.

In full, the retraction states:

“We know that Cambridge Analytica were working on aspects of the US election political process. However, we are still looking at allegations that Facebook data was used as part of the referendum campaign, and this forms part of the next phase of our campaign”.

In full, Denham stated:

“Dr. Kogan created a personality app that ran on Facebook and ended up harvesting 87 million profiles of users around the world, that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum”.

A report about the ICO’s investigation is likely to be published in October.

During the interview, a BBC presenter also seemingly made the claim “Facebook’s current profits are around 430 billion pounds per year”. It’s unclear where this statistic was pulled from. In Q1 of 2018 the organization posted profits of $4.98 billion.