On 25th October, the Information Commissioner’s Office (ICO) fined Facebook £500,000 for its serious breach of data protection laws between 2007 and 2014. This follows a Notice of Intent to fine Facebook which was issued in July 2018 as part of the ICO’s wider investigation into the breach.
Upon conclusion of its investigation, and having considered all representations made by the company, the ICO issued the maximum fine available under the laws which were applicable at the time of the offence.
The investigation was launched in response to the Cambridge Analytica Scandal. Over a 7-year period, Facebook processed the personal data of users unfairly by allowing app developers access to their users’ information without sufficiently clear and informed consent. Even where people hadn’t downloaded the app, their information was still processed if they were ‘friends’ with someone who had.
Facebook also failed to make suitable checks on the apps and developers using its platform, allowing them to unlawfully access its users’ personal data.
The ICO found that over 80 million users world-wide had their data harvested through the Facebook personality quiz which was developed by Dr Aleksandr Kogan and his company ‘GSR’. The information obtained through those who downloaded the quiz, including data of their ‘friends’ that had not downloaded it, was fed back to the company without the users’ consent or knowledge.
This information was then shared with several companies including the parent company of Cambridge Analytica, SCL Group, which was involved in running targeted Facebook adverts in US political contests.
Although it has since been reported, based on information provided by Facebook, that no UK users’ details had been shared, the information commissioner said that the lack of controls meant the data of UK residents was “put at serious risk” of being used for political campaigning – even if this did not actually take place.
The ICO also reported that, despite being informed of the misuse of data in 2015, Facebook failed to ensure that those who continued to hold the data had taken adequate and timely remedial action, including deletion, both during and after the unlawful processing of this data. For example, Facebook did not suspend SCL from using its platform until 2018.
The ICO has called the incident a “serious breach of data protection law” and issued Facebook with the maximum fine allowed under the laws applicable at the time. However, had the new GDPR been in effect when the breached occurred, it is more than likely that the fine would have been substantially higher as the ICO is now able to fine companies €20m or 4% of global turnover.
Facebook has the right to appeal the verdict and has confirmed that it is currently reviewing the ICO’s decision.
Whilst the fine itself won’t harm Facebook’s revenues, it has already seen impacts to its brand and business with a decrease in its user numbers within Europe. It is therefore important to remember that data breaches can go beyond the immediate monetary penalties, and the long-term effect of customer loyalty, share value and public opinion may be more damaging in the long run.
However, as the fine was the highest permissible under the applicable laws, it demonstrates the stance that the ICO is willing to take in respect of serious data breaches, which should focus the attention of all businesses in respect of their actions to ensure compliance with data protection laws.
What can businesses do?
Whilst your business may not be unlawfully sharing personal data, you can certainly take some lessons from Facebook’s failures. All businesses must ensure that they process personal data in accordance with those lawful purposes set out by GDPR, conduct regular reviews of their data protection policies, contracts and protocols to identify any potential weakness which may fall foul of the regulations. Management teams should also be aware of the changes to the data protection laws, and ensure this information is fed down to all staff members.
If you are concerned that your business is not yet GDPR compliant, please contact Dan Dowen on firstname.lastname@example.org or 02920 345511 for further advice and guidance.