View related news articles
Facebook faces the maximum fine of £500,000 over its role in the Cambridge Analytica Scandal, but the fine could have been up to £1.6bn under the GDPR.
The Information Commissioner’s Office (ICO) has indicated its intention to impose a fine to Facebook of £500,000, the maximum fine allowed under the old data protection regime.
The action from the ICO follows an investigation into the use of Facebook members’ personal data by Cambridge Analytica. The data-mining firm, which claimed it could swing elections, crunched personal data of millions of Facebook users for the 2016 Republican campaign.
The ICO said that Facebook had not done enough to explain to its members how their data was being used and failed to provide controls over the use of its members’ sensitive personal data. It also stated that Facebook failed to ensure that Cambridge Analytica deleted the members’ personal data.
The £500,000 fine is, of course, inconsequential to Facebook, a global company which generates that sum roughly every 7 minutes.
Interestingly however, if the events had have happened after 25 May 2018 (the implementation date for the GDPR), Facebook could be facing a far greater fine of up to 4% of its turnover. This means the maximum fine for the same offence under GDPR could be roughly £1.6bn (based on its 2017 turnover of $40.65bn).
Facebook may therefore consider itself fortunate that the GDPR does not allow for retrospective fines, albeit the real damage to Facebook may be to its reputation. Facebook now faces the task of convincing the public that it can be trusted with members’ personal data in an age when people are becoming ever more vigilant about who their personal data is shared with.
The ICO also confirmed its intention to bring criminal proceedings against Cambridge Analytica, however as the company ceased trading in May 2018, the ICO may also consider pursuing the directors.
The ICO is clearly continuing to demonstrate that it intends to use the full force of its powers if companies continue to misuse personal data. As those powers will soon become substantially more punitive, it is crucial that companies ensure their data processing practices are compliant.