Facebook has been hit with a £500,000 fine by the UK’s data protection agency for the Cambridge Analytica scandal earlier this year. For context, Facebook’s overall revenue was $40 billion (£31 billion) last year according to Statista.
While the fine may be seen as a drop in the ocean, it’s the maximum amount the Information Commissioner’s Office (ICO) could impose before GDPR came into force.
The ICO said the Cambridge Analytica scandal, which allowed the firm to harvest the data of up to 87 million Facebook users through a quiz game created by a developer, was a serious breach of the law.
Once Cambridge Analytica had acquired this information, it used it for targeted political advertising in the US.
‘Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had,’ the ICO said in a statement.
‘Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform.’
The ICO found that more than one million UK users had data harvested by the quiz. ‘A company of its size and expertise should have known better and it should have done better,’ said Elizabeth Denham, the UK’s Information Commissioner.
The General Data Protection Regulation (GDPR) which came into force on May 25th, allows authorities to impose greater fines.
Serious violations of GDPR can attract fines of up to 20 million euros or up to 4% of global turnover, whichever is higher.
Julian Saunders, CEO and founder of personal data governance company PORT.im, said: ‘Facebook can count its lucky stars that this fine was levied under the old rules and not under GDPR.
If it was the latter they would have been looking at a fine in the tens of millions.
‘In any case, the ICO has clearly drawn a line in the sand regarding the systemic misuse and abuse of personal data,’ he told Metro.co.uk.
‘This should act as a wakeup call to every organisation that if they are caught breaching GDPR they could face fines that will severely damage their business.
If that isn’t enough of a deterrent, business leaders need only look at the damage to Facebook’s brand in the wake of Cambridge Analytica.
‘A seemingly invincible company has been substantially weakened by a loss of consumer trust because they have had such a cavalier approach to collecting and using personal data.
‘GDPR compliance has slowly slipped off the agenda of many organisations after it came into force in May.
This case shows the dangers of complacency. I hope that business leaders have taken note and will renew their efforts to protect the personal data that they are entrusted with.’