The UK’s Information Commissioner’s Office (ICO) has issued Facebook a penalty notice requiring the payment of £500,000 due to “a very serious data incident”. The fine is the maximum that can be imposed under the United Kingdom’s Data Protection Act 1998, which was the ruling document when the incidents occurred.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data,” commented the UK’s Information Commissioner, Elizabeth Denham.
The data breach incidents occurred between 2007 and 2014, when Facebook failed to properly monitor the developers using the Facebook platform to build apps, and allowed them access to user information without clear consent. This particular case concerned Aleksandr Kogan and his company Global Science Research, that harvested the private data of up to 87 million Facebook users. The information was later shared with other organizations, including the SCL Group, a subsidiary of Cambridge Analytica who used this data for political campaigning.
Even after the breach of personal data was discovered back in 2015, Facebook did not take appropriate measures to make sure that the stolen information was deleted. Moreover, the company did not even suspend the SCL Group from the Facebook platform until 2018, and this oversight influenced the ICO’s decision to issue the maximum possible penalty. For a company as wealthy as Facebook with revenue of £31.5 billion in 2017, the £500,000 fine is a miniscule amount. However, if the decision had been ruled according to the latest Data Protection Act 2018, the penalty could have been up to £1.2 billion.