UK fines Facebook £500,000 for failing to protect user data

Decision by information commissioner comes after Cambridge Analytica scandal

Facebook has been fined £500,000 by the Information Commissioner’s Office in the wake of the Cambridge Analytica scandal, after allowing third party developers to access user information without sufficient consent.

The ICO announcement on Thursday upholds its initial decision in July. The fine, which represents a drop in the ocean for a company that brought in $40.7bn (£31.5bn) in global revenue in 2017, was the maximum available to the regulator under old data protection legislation.

The ICO found that the personal information of at least 1 million UK users was among harvested data and was consequently put at risk of further misuse. It also insisted that the company could have faced a substantially higher fine of up to £1.2bn under the new regulatory system.

The investigation found that Facebook failed to keep the personal information of its users secure by failing to make suitable checks on developers using its platform.

These failings meant one developer, Aleksandr Kogan, was able to convince 300,000 people to install a personality testing application that fed back the Facebook data of both users and their friends, enabling him to harvest the profiles of up to 87 million people worldwide without their knowledge.

A subset of the data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica, which was involved in running targeted Facebook adverts in US political contests, only to collapse earlier this year following a series of reports by the Observer.

The investigation also concluded, based on information provided by Facebook, that it did not currently have any evidence that British users’ social media data was shared with Cambridge Analytica.

However, the information commissioner said that in any eventuality the lack of controls meant the data of UK residents was “put at serious risk” of being used for political campaigning – even if this did not actually take place.

“Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion,” said the ICO report. “In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”

The fine is likely to feed into the ever-growing consensus in Westminster that some form of tough new regulation is required to control major tech companies, with the government likely to propose new legislation in the coming months.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data,” said the information commissioner, Elizabeth Denham.

“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”

Facebook, which has the right to appeal the verdict, said: “We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”

The company is already facing an investigation by the Irish data regulator over an unconnected data breach discovered last month, which could result in a record fine.


Jim Waterson Media editor

The GuardianTramp

Related Content

Article image
Facebook among 30 organisations in UK political data inquiry
Information commissioner is investigating use of personal information in political campaigns

Alex Hern

05, Apr, 2018 @4:28 PM

Article image
MPs summon Mark Zuckerberg, saying Facebook misled them
Facebook founder is called to give evidence after revelations over data use by Cambridge Analytica

Hilary Osborne and Jessica Elgot

21, Mar, 2018 @11:31 AM

Article image
Cambridge Analytica: search of London HQ delayed by wait for warrant
Information commissioner’s office says high court adjourned hearing into request to enter offices over data row

Hilary Osborne and Dan Sabbagh

22, Mar, 2018 @3:51 PM

Article image
Publish all Vote Leave's data, campaign chief challenges Facebook
Dominic Cummings says move would prove campaign did not use data gathered improperly by Cambridge Analytica

Jim Waterson Media editor

18, May, 2018 @2:00 PM

Article image
Facebook denies giving contradictory evidence to parliament
Committee chairman suggested staff knew Cambridge Analytica had misused data before Guardian revelation

Kevin Rawlinson

12, Aug, 2019 @7:38 PM

Article image
Watchdog investigates links between Canadian data firm and Vote Leave
Information Commissioner’s Office inquiry into AggregateIQ is one of many started by ICO in response to data misuse claims

Alex Hern

11, Jul, 2018 @2:24 PM

Article image
'Facebook is a morality-free zone’: tech chief lambasted by MP
Executive apologises over Cambridge Analytica scandal as Tory MP accuses Facebook of bullying

Jim Waterson Media editor

26, Apr, 2018 @12:46 PM

Article image
Social networks may have to reveal how they target users with ads
Information commissioner calls for more transparency over how individuals’ data is used for political ends

Alex Hern

06, Mar, 2018 @6:16 PM

Article image
Facebook to lodge appeal against ICO's £500,000 fine
Company says it disputes penalty for role in Cambridge Analytica scandal on principle

Alex Hern

21, Nov, 2018 @6:19 PM

Article image
MPs threaten Mark Zuckerberg with summons over Facebook data
Parliament may formally call CEO to face Cambridge Analytica questions next time he is in UK

Jim Waterson Media editor

01, May, 2018 @6:42 PM