Facebook must pay a £500,000 penalty for its role in the Cambridge Analytica scandal, the UK’s data watchdog ordered today.
The Information Commissioner’s Office (ICO) has handed the social media giant the penalty for processing people’s data without their consent, as well as failing to keep that data secure.
Elizabeth Denham, Information commissioner, said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data.
“A company of its size and expertise should have known better and it should have done better.”
Third-party apps were able to siphon the personal data of tens of millions of Facebook users under the social network’s terms and conditions between 2007 and 2014, even if a user was simply a friend of a user who had agreed to use the app.
At least one million UK users’ data was abused in this manner, but Facebook had no procedures to check the kinds of developers and apps linking to its platform.
A total 87m users' data was harvested without their knowledge by one such app created by Cambridge university lecturer Aleksandr Kogan.
He then shared some of this data with Cambridge Analytica, which used it to target voters for Donald Trump in the 2016 US presidential election.
But the ICO blasted Facebook for failing to keep tabs on what developers were doing with its users’ information, and criticised it for not taking enough action after discovering the breach in December 2015.
Facebook didn’t do enough to confirm whether developers had deleted data they had collected illegally, the ICO said, and didn’t suspend Cambridge Analytica or sister firm SCL Group until 2018.
While Facebook boss Mark Zuckerberg has been grilled by EU and US legislators over the scandal, he has so far refused to appear in front of UK MPs to account for Facebook's actions.
The social network's breaches came under the Data Protection Act 1998, which was replaced by tougher data laws in May this year that put the maximum fine at £17m, or four per cent of annual turnover.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation,” Denham added. “The fine would inevitably have been significantly higher under the GDPR.
“One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.
“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”
A Facebook spokesperson said: “We are currently reviewing the ICO's decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
"We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica. Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”