The Information Commissioner's Office has made good on its promise to fine Facebook over its breaches of data protection regulations following the Cambridge Analytica scandal, issuing the maximum £500,000 penalty permissible under the law in effect during the breach - a tiny fraction of what the company could have been fined under the new General Data Protection Regulation (GDPR).
Details of a serious breach of user privacy on the Facebook social networking platform broken back in March when a whistleblower detailed abuses by right-wing political campaign group Cambridge Analytica, a company found to have partnered with researcher Aleksandr Kogan to obtain personal information on not only direct users of an application supposedly restricted to 'academic use' but the data of their friends as well. 'We exploited Facebook to harvest millions of people's profiles,' Wylie claimed in an interview with The Guardian. 'And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company [Cambridge Analytica] was built on.'
Following its investigation into the breach, which confirmed Facebook's culpability, the Information Commissioner's Office (ICO) has issued a £500,000 fine - the maximum permissible under the Data Protection Act (DPA), the law in force at the time of the breach, rather than the significantly higher sum of the greater of four percent of global turnover or £17 million under its replacement the pan-European General Data Protection Regulation (GDPR).
'Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,' explains Information Commissioner Elizabeth Denham in support of the fine, levied after ICO found that the company failed to protect its users, and failed to suspend the abusive companies involved from their platform for three years after the flaw was discovered. 'We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR.
'One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data. Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.'
Facebook has not issued comment on the fine, but is expected to appeal the ruling.