The Information Commissioner's Office has fined Facebook an exemplary £500,000 under the existing Data Protection Act for failing to prevent data analytics firms (Cambridge Analytica) from harvesting personal details of millions of users.
Enforcement action against Facebook a certainty
After it came to light that data analytics firm Cambridge Analytica harvested data of up to 87 million Facebook users from a specialised app named thisisyourdigitallife, the Information Commissioner's Office told the media that its investigation into the data harvesting scandal "could result in enforcement action" and that it would recommend certain public policies to regulate how personal data is used online and what can be done to control such usage.
"The ICO is looking at how data was collected from a third party app on Facebook and shared with Cambridge Analytica. We are also conducting a broader investigation into how social media platforms were used in political campaigning.
"Facebook has been co-operating with us and, while I am pleased with the changes they are making, it is too early to say whether they are sufficient under the law," said Information Commissioner Elizabeth Denham.
"This is an important time for privacy rights. Transparency and accountability must be considered, otherwise it will be impossible to rebuild trust in the way that personal information is obtained, used and shared online.
"This is why, besides my investigation, which could result in enforcement action, I will also be making clear public policy recommendations to help us understand how our personal data is used online and what we can do to control how it's used,” she added.
ICO walks the talk
Having conducted an in-depth investigation into data harvesting practices of data analytics firms and Facebook's role in preventing/reporting such practices, the ICO announced yesterday that it had levied a fine of a maximum £500,000 on the social media giant for two breaches of the Data Protection Act.
"Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million.
"The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others," the watchdog said.
Aside from fining Facebook, the ICO has also issued warning letters to 11 political parties in order to compel them to agree to audits of their data protection practices, issued an Enforcement Notice to SCL Elections Ltd to deal properly with a subject access request, issued an an Enforcement Notice to Aggregate IQ to stop processing retained data belonging to UK citizens, and announced an audit of the Cambridge University Psychometric Centre.
Commenting on the exemplary fine issued by the ICO to Facebook, which is also the maximum amount that can be levied under DPA, Christopher Littlejohns, EMEA manager at Synopsys, said that the fine imposed on Facebook is a salutary lesson to companies operating within the European region and that a fine of such magnitude could top hundreds of millions under the newly-implemented GDPR.
"Such fines are potentially so large they can significantly affect operating margin, and ultimately share prices of large companies. Personal data collectors and aggregators are particularly at risk to these issues, due to the scale and value of the data they collect; and consequently should be extremely vigilant and diligent in their custodianship of such data.
"Companies that do not undertake effective risk analysis, data privacy management, ongoing diligence, and open communication with users and authorities when breaches occur will potentially face severe business impediments at best, and existential threats at worst," he added.