ICO fines Facebook maximum £500,000 for failing to protect users’ personal information

The Information Commissioner’s Office (ICO) has fined social media giant Facebook £500,000 for serious breaches of data protection law. In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide-ranging investigation into the use of data analytics for political purposes. After considering representations from the company, the ICO has issued the fine and confirmed that the amount – the maximum allowable under the laws which applied at the time the incidents occurred – will remain unchanged.

The ICO’s investigation found that, between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if end users hadn’t downloaded the app, but were simply ‘friends’ with people who had done so.

Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant that one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide without their knowledge. A sub-set of this data was later shared with other organisations, including the SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.

Even after the misuse of the data was discovered in December 2015, Facebook didn’t do enough to ensure those who continued to hold it had taken adequate and timely remedial action (including deletion). In the case of the SCL Group, Facebook didn’t suspend the company from its platform until this year.

The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

Facebook “should have known better”

Elizabeth Denham, the Information Commissioner, said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

Information Commissioner Elizabeth Denham

Information Commissioner Elizabeth Denham

This fine was served under the Data Protection Act 1998. That Act was replaced in May by the new Data Protection Act 2018 alongside the EU’s General Data Protection Regulation. These provide a range of new enforcement tools for the ICO, including maximum fines of £17 million or 4% of a company’s global turnover.

Denham added: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. Inevitably, the fine would have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data. Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”

A further update on the ICO investigation into data analytics for political purposes will be available on Tuesday 6 November when the Information Commissioner gives evidence to the Department for Digital, Culture, Media and Sport Select Committee.

In July, the ICO published an interim progress update on its investigation and also published a partner report looking at the broader policy issues identified during the investigation along with findings and the Information Commissioner’s recommendations for future action.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts