Connect with us

Hi, what are you looking for?



UK Regulator Hits Facebook With Maximum Fine

ICO Fines Facebook Maximum £500,000 Over its Role in the Cambridge Analytica Scandal

ICO Fines Facebook Maximum £500,000 Over its Role in the Cambridge Analytica Scandal

Back in April, SecurityWeek asked the question, ‘would Facebook be in breach of GDPR over the Cambridge Analytica scandal?’ The question has been answered unequivocally: Yes.

This confirms the advice we were given at the time. “From Facebook’s perspective,” MacRoberts LLP senior partner David Flint said, “the only good point is that the maximum fine under the [current UK] Data Protection Act is £500,000; after 25 May 2018 it would be 4% of Facebook worldwide turnover ($40bn in 2017) — a potential $1.6bn fine! That’s before damages claims.”

Today the UK’s data protection regulator, Information Commissioner Elizabeth Denham, announced that Facebook (defined as Facebook Ireland Ltd, and Facebook Inc — the Facebook Companies) has indeed been fined £500,000. “The ICO’s investigation,” explains the regulator, “found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.”

The specific app in question was developed by Dr Aleksandr Kogan and his company GSR. It harvested data of up to 87 million people worldwide. A large portion of this data was shared with the SCL group — the parent company of political campaign organization Cambridge Analytica. The ICO’s investigation found that “the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.”

During the process of the investigation, Facebook argued that the ICO had no jurisdiction in the matter — although it did cooperate with the ICO. The ICO’s Decision Notice (PDF) explains its position: 

“UK Users would include (but would not be confined to) UK residents who made use of the Facebook site during the material time. UK Users would also include persons visiting the UK who made use of the Facebook site during the material time while visiting the UK. Because the processing by the Facebook Companies of personal data about the UK Users took place in the context of a UK establishment: (i) such processing fell within the scope of the DPA ; and (ii) the Commissioner has jurisdiction over the Facebook Companies in respect of such processing.”

Advertisement. Scroll to continue reading.

While Facebook has asserted that only personal data from U.S. citizens was used (misused under European principles) for Cambridge Analytica’s political campaigning, the ICO comments, “Some US residents would also, from time to time, have been UK users (as defined above): e.g. if they used the Facebook site while visiting the UK.”

The same principle of ‘user’ rather than citizen applies to GDPR. It reinforces a key point often missed by U.S. organizations: GDPR is not merely about protecting the PII of EU citizens, it applies to any person of any nationality who is within the geographical boundaries of the EU at the time.

Part of the reason for the ICO to apply the maximum fine possible under the legislation applicable at the time (the UK’s Data Protection Act 1998, now superseded by the Data Protection Act 2018, being the UK’s implementation of GDPR) was the persistence of Facebook’s failing.

“Even after the misuse of the data was discovered in December 2015,” says the ICO, “Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”

This is another key aspect of GDPR — regulators will take into consideration efforts made to protect personal data. While rapid remedial action is unlikely to reduce any applicable fine, failure to act promptly and effectively will almost certainly increase it. 

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” said Elizabeth Denham.

It is, however, her next comment that should sound a warning to all companies of any size that process — and allow the unlawful processing — of EU users’ data: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people’s personal data. Our work is continuing.”

GDPR isn’t merely designed to punish transgressors; it is designed to punish them so severely that they will actually change their business practices. Much larger fines under GDPR are inevitable.

Related: Test Case Probes Jurisdictional Reach of GDPR 

Related: First GDPR Enforcement is Followed by First GDPR Appeal 

Related: Facebook Suspends 200 Apps Over Data Misuse 

Related: Facebook Says 50M User Accounts Affected by Security Breach 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...