Updated The UK's Information Commissioner has formally fined Facebook £500,000 – the maximum available – over the Cambridge Analytica scandal.
In a monetary penalty notice issued this morning, the Information Commissioner's Office (ICO) stated that the social media network had broken two of the UK's legally binding data protection principles by allowing Cambridge academic Aleksandr Kogan to harvest 87 million Facebook users' personal data through an app disguised as an innocent online quiz.
"Facebook... failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge," said the ICO in its statement on the fine.
Data harvested by GSR would later be passed to SCL Elections Ltd, the company behind Cambridge Analytica. The fine was telegraphed by the data protection regulator back in July.
"The Facebook Companies thereby acted in breach of section 4(4) of the [Data Protection Act], which at all material time required data controllers to comply with the data protection principles in relation to all personal data in respect of which they were the data controller," continued the ICO in its penalty notice (PDF, 27 pages).
UK watchdog finally gets search warrant for Cambridge Analytica's totally not empty officesREAD MORE
The £500k fine is the maximum penalty available to the ICO under 1998's Data Protection Act. The regulator noted: "But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty." Nonetheless, with Facebook making a net income of $5.1bn in its latest fiscal quarter, the penalty amounts to just over quarter of an hour's profits*.
Under the Data Protection Act 2018, which implements the EU GDPR rules, the maximum fine available is 4 per cent of turnover.
Elizabeth Denham, Information Commissioner, said: "Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data."
The ICO has a particular bee in its bonnet about Facebook and Cambridge Analytica, as well as the use of personal data in political advertising campaigns more generally. On top of raiding CA's UK offices earlier this year, it also laid a criminal charge against SCL Elections in the magistrates' court.
A Canadian firm alleged by the ICO to be linked to Cambridge Analytica, Aggregate Data Services IQ Ltd, is appealing in the First-Tier Tribunal against a civil enforcement notice issued by the ICO. The company said it is not linked to the Cambridge Analytica scandal and was merely a software developer for the controversial company. That case will be heard in the near future. ®
*At current exchange rates, Facebook makes around £43m a day in post-tax profits, or just under £2m per hour.
Updated at 11.27 UTC
A Facebook PR rep sent us a statement:
“We are currently reviewing the ICO's decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
"We are grateful that the ICO has...confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica. Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”