Britain’s information regulator on Thursday upheld a small but symbolic 500,000 pound ($645,000) fine for Facebook for breaches of data protection law related to the harvesting of data by consultancy Cambridge Analytica.
Confirming its initial decision on the fine in July, the Information Commissioner’s Office said data from at least one million British users had been among that harvested by Cambridge and used for political purposes.
The fine confirms plans announced by the ICO in July, when the watchdog said it intended to impose the maximum fine under the UK’s old privacy laws, but allowed the company time to make representations. Under new rules, the fine would “inevitably have been significantly higher,” the Information Commissioner said.
The ICO said its investigation had found that, between 2007 and 2014, Facebook had allowed app developers to access users’ personal information unfairly. Data were used “without [users’] sufficiently clear and informed consent,” as well as in instances users had not downloaded Facebook’s app but were “friends” with people who had.
This meant data from up to 87m US voters was able to be harvested and passed to Cambridge Analytica, the parent company of which was employed by US President Donald Trump’s election campaign.
“Even after the misuse of the data were discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion,” said the ICO in a statement.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” said Elizabeth Denham, the Information Commissioner.
The fine falls under the Data Protection Act 1998, old rules that were replaced in May be the European Union’s new General Data Protection Regulation. These new rules give the ICO new enforcement tools — including maximum fines of £17m, or 4 per cent of global turnover — with which to sanction companies deemed to have broken the data protection law.