Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

UK Regulator Hits Facebook With Maximum Fine

ICO Fines Facebook Maximum £500,000 Over its Role in the Cambridge Analytica Scandal

ICO Fines Facebook Maximum £500,000 Over its Role in the Cambridge Analytica Scandal

Back in April, SecurityWeek asked the question, ‘would Facebook be in breach of GDPR over the Cambridge Analytica scandal?’ The question has been answered unequivocally: Yes.

This confirms the advice we were given at the time. “From Facebook’s perspective,” MacRoberts LLP senior partner David Flint said, “the only good point is that the maximum fine under the [current UK] Data Protection Act is £500,000; after 25 May 2018 it would be 4% of Facebook worldwide turnover ($40bn in 2017) — a potential $1.6bn fine! That’s before damages claims.”

Today the UK’s data protection regulator, Information Commissioner Elizabeth Denham, announced that Facebook (defined as Facebook Ireland Ltd, and Facebook Inc — the Facebook Companies) has indeed been fined £500,000. “The ICO’s investigation,” explains the regulator, “found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.”

The specific app in question was developed by Dr Aleksandr Kogan and his company GSR. It harvested data of up to 87 million people worldwide. A large portion of this data was shared with the SCL group — the parent company of political campaign organization Cambridge Analytica. The ICO’s investigation found that “the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.”

During the process of the investigation, Facebook argued that the ICO had no jurisdiction in the matter — although it did cooperate with the ICO. The ICO’s Decision Notice (PDF) explains its position: 

“UK Users would include (but would not be confined to) UK residents who made use of the Facebook site during the material time. UK Users would also include persons visiting the UK who made use of the Facebook site during the material time while visiting the UK. Because the processing by the Facebook Companies of personal data about the UK Users took place in the context of a UK establishment: (i) such processing fell within the scope of the DPA ; and (ii) the Commissioner has jurisdiction over the Facebook Companies in respect of such processing.”

While Facebook has asserted that only personal data from U.S. citizens was used (misused under European principles) for Cambridge Analytica’s political campaigning, the ICO comments, “Some US residents would also, from time to time, have been UK users (as defined above): e.g. if they used the Facebook site while visiting the UK.”

The same principle of ‘user’ rather than citizen applies to GDPR. It reinforces a key point often missed by U.S. organizations: GDPR is not merely about protecting the PII of EU citizens, it applies to any person of any nationality who is within the geographical boundaries of the EU at the time.

Part of the reason for the ICO to apply the maximum fine possible under the legislation applicable at the time (the UK’s Data Protection Act 1998, now superseded by the Data Protection Act 2018, being the UK’s implementation of GDPR) was the persistence of Facebook’s failing.

“Even after the misuse of the data was discovered in December 2015,” says the ICO, “Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”

This is another key aspect of GDPR — regulators will take into consideration efforts made to protect personal data. While rapid remedial action is unlikely to reduce any applicable fine, failure to act promptly and effectively will almost certainly increase it. 

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” said Elizabeth Denham.

It is, however, her next comment that should sound a warning to all companies of any size that process — and allow the unlawful processing — of EU users’ data: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people’s personal data. Our work is continuing.”

GDPR isn’t merely designed to punish transgressors; it is designed to punish them so severely that they will actually change their business practices. Much larger fines under GDPR are inevitable.

Related: Test Case Probes Jurisdictional Reach of GDPR 

Related: First GDPR Enforcement is Followed by First GDPR Appeal 

Related: Facebook Suspends 200 Apps Over Data Misuse 

Related: Facebook Says 50M User Accounts Affected by Security Breach 

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...