Facebook told the regulator an estimated one million U.K. users were among the 87 million of its users whose private data was harvested by Dr. Aleksandr Kogan and his company Global Science Research back in 2014 — which passed the data to the now defunct political consultancy, Cambridge Analytica.
In July, the ICO announced it intended to fine Facebook the maximum possible amount under the U.K.’s old data protection regime — saying it was “clear” the company had contravened the law “by failing to keep users’ data safe” when its systems allowed Kogan’s app to scrape Facebook user data.
It confirmed the penalty a month ago, with commissioner Elizabeth Denham saying then: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
Although the text of its October decision includes the admission that the ICO had not found evidence that any U.K. Facebook users’ data had actually been passed to Kogan.
“Facebook has asserted that the only individuals whose personal data was used in this way [shared by Kogan with third parties including Cambridge Analytica] were US residents,” it writes on this, before adding that even if Facebook’s assertion is correct some U.S. residents would also have been U.K. users “from time to time” (e.g. if visiting the U.K.) — and thus would fall under its remit.
It also pointed to “serious risk” to U.K. users’ data being material to its decision, writing: “Dr. Kogan and/or GSR were put in a position where they were effectively at liberty (if they so chose) to use the personal data of UK residents for such purposes, or to share such data with persons or companies who would use it for such purposes.”
On that basis, Facebook appears to be resting its appeal against the ICO decision on its own assertion to the ICO that there’s no evidence of U.K. users’ data being used.
Commenting on its decision to appeal against the ICO’s fine in a statement, Anna Benckert, its EMEA VP & associate general counsel, said:
We have said before that we wish we had done more to investigate claims about Cambridge Analytica in 2015. We made major changes to our platform back then and have also significantly restricted the information app developers can access. And we are investigating all historic apps that had access to large amounts of information before we changed our platform policies in 2014.
The ICO’s investigation stemmed from concerns that UK citizens’ data may have been impacted by Cambridge Analytica, yet they now have confirmed that they have found no evidence to suggest that information of Facebook users in the UK was ever shared by Dr Kogan with Cambridge Analytica, or used by its affiliates in the Brexit referendum.
Therefore, the core of the ICO’s argument no longer relates to the events involving Cambridge Analytica. Instead, their reasoning challenges some of the basic principles of how people should be allowed to share information online, with implications which go far beyond just Facebook, which is why we have chosen to appeal.
For example, under ICO’s theory people should not be allowed to forward an email or message without having agreement from each person on the original thread. These are things done by millions of people every day on services across the internet, which is why we believe the ICO’s decision raises important questions of principle for everyone online which should be considered by an impartial court based on all the relevant evidence.
We’ve reached out to the ICO for comment. Update: An ICO spokesperson said: “Any organisation issued with a monetary penalty notice by the Information Commissioner has the right to appeal the decision to the First-tier Tribunal. The progression of any appeal is a matter for the tribunal. We have not yet been notified by the Tribunal that an appeal has been received.”
Last month, Denham explained the decision to impose the maximum penalty on Facebook by saying: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people’s personal data.”
This summer her office issued its first-ever enforcement notice under the new GDPR data protection regime against Canadian data firm AIQ, which had supplied software and services to the disgraced Cambridge Analytica.
But last month the ICO issued a narrower enforcement notice, replacing the earlier notice, after AIQ appealed.