UK watchdog fines Facebook for serious data breach

Aditi Khanna, London,
Published : 17:54, Oct 25, 2018 | Updated : 17:58, Oct 25, 2018

Figurines are seen in front of the Facebook logo in this illustration taken March 20, 2018. ReutersThe UK’s Information Commissioner’s Office (ICO) on Thursday fined Facebook £500,000 ($644,600) for serious breaches of data protection law, the maximum amount it is authorised to issue.
The fine by the country’s independent data watchdog related to the American social media giant’s role in the Cambridge Analytica data scandal, which hit the headlines earlier this year. The ICO said its investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply “friends” with people who had.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” said Information Commissioner Elizabeth Denham.
The fine has been served under the UK’s Data Protection Act 1998, which has since been replaced by the new Data Protection Act 2018 in May, alongside the European Union’s General Data Protection Regulation (GDPR). The new rules provide a range of new enforcement tools for the ICO, including maximum fines of GBP 17 million or 4 per cent of global turnover.
Denham said: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.
“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”
The ICO concluded that Facebook failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.
Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.
The ICO found that the personal information of at least 1 million UK users was among the harvested data and consequently put at risk of further misuse.
SCL Group, a private British behavioural research and strategic communication company, had announced its closure in May this year in the wake of the scandal. The group's activities spread across the world and the ICO is still investigating how data analytics is used for political purposes, with its chief set to provide an update to the UK Parliament Department for Digital, Culture, Media and Sport (DCMS) Select Committee next month.