UK watchdog fines Facebook over users’ data breach
The fine is the maximum allowed under the law at the time the breach occurred. Had the scandal taken place after new EU data protection rules went into effect this year, the amount would have been far higher.
British regulators on Thursday slapped Facebook with a fine of 500,000 pounds ($644,000) — the maximum possible — for failing to protect the privacy of its users in the Cambridge Analytica scandal.
The Information Commissioner Office found that between 2007 and 2014, Facebook processed the personal information of users unfairly by giving app developers access to their information without informed consent. The failings meant the data of some 87 million people was used without their knowledge.
"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data," said Elizabeth Denham, the information commissioner. "A company of its size and expertise should have known better and it should have done better."
The ICO said a subset of the data was later shared with other organisations, including SCL Group, the parent company of political consultancy Cambridge Analytica. News that the consultancy had used data from tens of millions of Facebook accounts to profile voters and help US President Donald Trump's 2016 election campaign ignited a global scandal on data rights.
The fine is the maximum allowed under the law at the time the breach occurred. Had the scandal taken place after new EU data protection rules went into effect this year, the amount would have been far higher — including maximum fines of 17 million pounds or 4 percent of global turnover, whichever is higher.
"We are currently reviewing the ICO's decision," Facebook said in a statement. "While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation."
Facebook also took solace in the fact that the ICO did not definitively assert that UK users had their data shared for campaigning. But the commissioner noted in her statement that "even if Facebook's assertion is correct," U.S. residents would have used the site while visiting the UK.