The Information Commissioner’s Office (ICO) has issued a notice of intent to fine Facebook £500,000, the maximum amount possible under the Data Protection Act, for failing to protect its users’ data and not being transparent about how data was harvested by third parties.
The Facebook scandal emerged after a whistleblower alleged that the controversial data consulting firm Cambridge Analytica had clandestinely harvested personal data from over 87 million Facebook accounts.
“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act,” said Elizabeth Denham, the information commissioner. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
The allegations centre on a Facebook quiz app which calculated a psychometric profile for each user. Cambridge Analytica allegedly used these profiles to create targeted adverts during the US presidential election and the EU referendum.
In-built weaknesses in Facebook’s privacy settings allowed the quiz app to capture not just the user’s information - but all of their friends, too, depending on their privacy settings.
Luckily for Facebook, the incident occurred before the General Data Protection Regulation (GDPR) came into effect. The social network would have faced a fine of £359m if the offences occurred under GDPR. Responding to the fine, Facebook’s chief privacy officer Erin Egan admitted that Facebook “should have done more to investigate claims about Cambridge Analytica and take action in 2015”.
The ICO launched its investigation into the scandal in February and the intention to fine Facebook was announced in Tuesaday's update (10 July). The information commissioner Elizabeth Denham added that the ICO’s investigation wasn't over yet.
So, the cat is officially out of the bag. Tomorrow’s ICO’s report on FT front page. Maximum possible fine for Facebook. Criminal enforcement against Cambridge Analytica. Huge investigation ongoing into MULTIPLE crimes potentially committed in referendum. The ICO is bringing it.. pic.twitter.com/MJJne5k39y
Of particular interest now is the ICO’s investigation into both sides of EU referendum.
The ICO, Denham wrote, will investigate whether the Leave campaign “transferred the personal data of UK citizens outside the UK” and “whether that personal data has also been unfairly and unlawfully processed”. Any enforcement action can be expected within three months, Denham said.
The Remain campaign is also being investigated for inadequate third party consent and the fair processing statements used to collect personal data.
But the cybersecurity expert Stewart Twynham has little hope that the ICO's investigation will result in any meaningful action. "The fine really is a token amount. It’ll take eight minutes for Facebook to generate that cash based on their first quarter revenue.
"There are other things the ICO could be doing. But I don’t think they have the stomach or political will to do it." Twynham suggested that an enforcement notice is the right way forward for the ICO.
"If the ICO feels that Facebook is still sharing information in ways people wouldn’t fully expect or that this is an ongoing thing - which most people think is the case - they could tell them ‘stop’. They could actually tell them what they want to happen, and that’s even the case under the Data Protection Act, not just GDPR. That could have a huge impact on the Facebook business model."
But Twynham said, "I get this impression that this is so politically charged and Facebook is so huge, they’re not brave enough to do something out of the box."