Social media giant fined £500,000 for lack of transparency and failing to protect users’ information
It’s been announced that Facebook will be fined the maximum amount of £500,000 for its part in the Cambridge Analytica data breach scandal which was made public in 2017.
The scandal itself actually took place several years back – in 2014 and 2015 – where Facebook allowed an app that ended up harvesting 87m profiles of users around the world that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum. Despite Facebook being aware of this, the breach wasn’t reported until two years later in 2017.
The fine is for two breaches of the Data Protection Act. The Information Commissioner’s Office (ICO) concluded that Facebook failed to safeguard its users’ information and that it failed to be transparent about how that data was harvested by others.
The fine is for two breaches of the Data Protection Act 1998
A whistleblower revealed how Cambridge Analytica – a company owned by the hedge fund billionaire Robert Mercer, and headed at the time by Trump’s key adviser Steve Bannon – used personal information taken without authorisation in early 2014 to build a system that could profile individual US voters, in order to target them with personalised political advertisements.
By late 2015, both Cambridge Analytica and Facebook had found out that information had been harvested on an unprecedented scale. However, at the time both companies failed to alert users and took only limited steps to recover and secure the private information of more than 87 million individuals.
“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act,” said Elizabeth Denham, the information commissioner.
Denham goes on to say “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
“This was a very serious contravention, so in the new regime, they would face a much higher fine. This is not all about fines though, any company is worried about its reputation because people want to feel that their data is safe.”
How to avoid the fines
As a data processor, it is your responsibility to notify the ICO within 72 hours of a data breach occurring. Because of the timing of the breaches, the ICO said it was unable to levy the penalties introduced by the European General Data Protection (GDPR), which caps fines at the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case, $1.9bn (£1.4bn). The £500,000 cap was set by the Data Protection Act 1998.
To give some financial context to this, in the first quarter of 2018 Facebook took £500,000 in revenue every five and a half minutes. Although they’ve gotten off lightly, if another breach were to occur under the GDPR – they might not be so lucky.