The cash is tiny in comparison to Facebook’s profits but represents a shot over the bow of Facebook which will get hammered if something like this happens again.
Elizabeth Denham, the Information Commissioner, said Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.
The fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation. These provide a range of new enforcement tools for the ICO, including maximum fines of £17 million or four percent of global turnover.
Denham added: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
Facebook has responded by saying that it is currently reviewing the ICO’s decision. It adds: “While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”