The U.K. Information Commissioner’s Office (ICO) has confirmed that it has hit Facebook with a maximum £500,000 ($645,000) fine around the way it mishandled user data following the Cambridge Analytica scandal earlier this year.
The ICO announced its intention to hand Facebook the fine back in July and it said today that it had not changed its mind after hearing the social network’s responses to key questions raised. While £500,000 is a drop in the ocean for the U.S. company, it represents the maximum allowable punishment under UK law, which is the significant part to focus on here.
Facebook provided the following statement to TechCrunch:
“We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica. Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”
The introduction of GDPR has given the ICO the power to issue fines of up to £17 million ($22 million) or four percent of a company’s global turnover — that’s potentially up to $1.6 billion in Facebook’s case. Luckily for the U.S. firm, though, that isn’t possible since this investigation began back in May 2017 following questions around digital influence on the Brexit vote.
In the case of Cambridge Analytica, the ICO found that at least one million UK users were among the 87 million Facebook users whose private data was harvested by Dr. Aleksandr Kogan and his company Global Science Research (GSR).
While the issue was identified in 2015, GSR and Kogan were not booted from Facebook’s platform until this year. That led the British organization to conclude that beyond failing to “make suitable checks on apps and developers using its platform,” Facebook “did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action.” Indeed, CEO Mark Zuckerberg himself has admitted that the decision was a mistake.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” Information Commissioner Elizabeth Denham said in a statement.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people’s personal data,” she added.
Denham is slated to present an update on the investigation to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee on November 6, but she said work on the topic of digital influence on politics will continue beyond that date.
“There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based,” Denham added.
We’ve contacted Facebook for a response to today’s announcement.
Note: The original version of this story was updated to correct that the fine is £500,000 not $500,000. In addition, Facebook updated its response with an additional line.