The Information Commissioner’s Officer (ICO), The UK’s data protection authority, is proposing fining Facebook £500,000 over the Cambridge Analytica incident that led to the alleged misuse of an estimated 87 million users’ personal data.
The ICO revealed the extent of the fine in an announcement declaring it has sent the social network a “notice of intent,” which signals the ICO’s intention to fine the social network for two breaches of the Data Protection Act.
The ICO has also written to 11 of the UK’s political parties encouraging them to have their data protection practices audited.
As the incident took place in 2015 the fine would be issued under the Data Protection Act 1998 not the GDPR or the Data Protection Act 2018.
The maximum the ICO can fine an organization under the old data protection legislation is £500,000. Meanwhile, the maximum penalty a data protection authority can issue under the GDPR, which came into force on 25th May 2018, is 4 percent of annual revenue or 20 million EUR, whichever is higher.
The social network will be given an opportunity to respond to the notice, at which point a final decision will be made.
On a call with reporters, Information Commissioner Elizabeth Denham stated:
“Facebook has failed to provide the kinds of protections they’re required to do under data protection laws . [The fine] sends a clear signal that I consider this a significant issue, especially when you look at the scale and the impact of this kind of data breach.”
In a recent report we also highlighted a number of lawmakers in the UK are relying on a “democratic engagement” principle laid down by the Data Protection Act 2018, and described as “very wide” by the ICO, to collect data on their users.
The “issue” addressed by Denham involved Cambridge Analytica acquiring data from Cambridge University researcher Aleksandr Kogan for roughly £230,000. Kogan collected the data through an app titled “thisisyourdigitallife”.
The researcher has previously criticized Facebook CEO Mark Zuckerberg for being a “total hypocrite” and alleged “tens of thousands of other apps did the same thing”.
Cambridge Analytica was also contracted to assist with the campaign to elect Donald Trump in 2016. Subsequently, its CEO, Alexander Nix, was secretly filmed by the UK’s Channel 4 discussing how his organization helped President Trump win the election.
Meanwhile, a former media director for the Obama campaign, Carol Davidsen, has previously spoken about how Facebook data was used by the Obama campaign in 2011 and claimed the social network was surprised the campaign was able to “suck out the whole social graph”.
In response to an allegation made by Davidsen that the social network was “on the side” of the Obama campaign, Facebook’s CEO Mark Zuckerberg stated:
“We didn’t allow the Obama campaign to do anything that any developer on the platform wouldn’t otherwise have been able to do”.
The data shared with Cambridge Analytica consisted not only of users’ personal information but the personal information of their friends.
Facebook has reported its unclear how many of the users affected are based in the EU and it won’t know anymore until it completes its internal audit. The social network previously estimated that 2.7 million EU users were affected by the incident.
The social network has been subject to increased scrutiny over the last few years, not only in relation to Cambridge Analytica but over its policies on illegal content, its data sharing agreements with device manufacturers, its handling of political advertisements and alleged electoral interference and the quality and visibility of news content on its platform.
It is also currently subject to a consent decree with the FTC, which mandates that the social network be subject to regular privacy audits for 20 years. According to Wired, PwC conducted one such audit between 2015 and 2017 – the Cambridge Analytica discovery was revealed late 2015 – and gave the social network the all clear.
The social network has also recently been criticized by EU lawmakers for a change to its terms of service that pushes 1.5 billion non-EU users under the remit of Facebook US rather than Facebook Ireland.
The switch, which took place a few weeks before the GDPR came into force, ensures non-EU users will no longer enjoy the benefits of the EU’s data protection laws.
It was also recently drawn into a data breach involving third-party quiz app development firm SocialSweethearts. The breach is believed to have compromised data on millions of users.