The Information Commissioner’s Office (ICO) has reportedly fined Facebook £500,000 for allowing user information to be accessed by the third party developers without sufficient consent. Under old data protection legislation, the fine was the maximum available to the ICO and the regulator did not change its initial decision made in July.
The ICO had found that personal data of over 1 million UK users was among harvested information and as a result, was put at risk of further misuse. The regulator also insisted that under the new regulatory system, Facebook could have faced considerably higher fine of up to £1.2bn.
The ICO report said that the company did not do enough to ensure if those holding the data had taken sufficient and timely remedial action, including deletion. Furthermore, Facebook did not suspend SCL Group, the parent company of Cambridge Analytica, from its platform until 2018.
Information Commissioner Elizabeth Denham said that the regulatory body has imposed the maximum penalty under the previous legislation, as it considered these offences to be very serious. She further confirmed that the fine would have been considerably higher under the GDPR. One key motivation that resulted in taking this enforcement action is to drive meaningful change in how corporations handle people’s personal data, she added.
Facebook stated that that company is currently reviewing the ICO’s decision. The company disagrees with some of ICO’s findings, but previously had said that it should have certainly put more efforts in investigating claims about Cambridge Analytica in 2015 and acted accordingly. Facebook mentioned ICO have found no proof to suggest the data of UK Facebook users’ had been shared with Cambridge Analytica.
ICO has acknowledged Facebook’s complete cooperation throughout its investigation. The company is already subject to an investigation from the Irish data regulator, due to an unconnected data breach found last month, which could result in a record high fine.
