Timing sees Facebook avoid multi-million GDPR fine from UK
Facebook is set to be fined £500,000 by the UK for its part in the Cambridge Analytica scandal. Britain’s Information Commissioner has announced the global firm will be hit by the maximum amount possible according to the UK’s Data Protection Act.
The Facebook–Cambridge Analytica data scandal saw the personally identifiable information of 87 million Facebook users collected – along with a reportedly a much greater number that Cambridge Analytica began collecting in 2014 – before allegedly being used to attempt to influence voter opinion on behalf of politicians who hired Cambridge Analytica. Following the discovery, Facebook apologised amid public outcry and rising stock prices. The way that Cambridge Analytica collected the data was called "inappropriate", while Facebook CEO Mark Zuckerberg appeared before the US Senate for questioning – something the technological tycoon refused to do with UK MPs.
In spite of this, the UK’s Information Commissioner has still levied a £500,000 fine against Facebook as punishment for its transgression. The fine is for two breaches of the Data Protection Act, with the Information Commissioner’s Office (ICO) concluding that Facebook had not adequately safeguarded its users’ information, while failing to be transparent about how that data was harvested by others.
Elizabeth Denham, the Information Commissioner said, “Facebook has failed to provide the kind of protections they are required to under the Data Protection Act [which was introduced in 1998]. Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
The ICO inquiry has also resulted in warning letters being sent to 11 political parties – every UK party with an MP in the House of Commons as of March 2017, when the investigation began – and notices compelling them to agree to data protection audits.
While the fine is the maximum available to the ICO, and is supposed to be a severe smack down for offenders of data privacy violations, Facebook will be considering itself fortunate, not only because in the age of billion pound internet behemoths, £500,000 is the revenue Facebook raked in every five and a half minutes in Q1 2018, but also because of the timing of the breaches. Had the Cambridge Analytica debacle come to light months later, the ICO would have likely been able to call on the European General Data Protection (GDPR) to issue a far more severe blow.
GDPR famously caps fines at the higher level of £17 million (€20 million) or 4% of global turnover – depending on which is largest. In Facebook’s case, 4% of global turnover amounts to a colossal £1.4 billion ($1.9 billion).
In April, a month before the enactment of GDPR, Facebook announced a raft of new privacy measures. It was quickly noted that this roster of new rules was in fact just an expansion of compliance measures expected for the EU’s GDPR – though it expanded these standards to apply beyond EU citizens.
Related: GDPR preparation has cost FTSE 350 businesses around $1.1 billion.