Facebook fined pre-GDPR maximum of £500,000 by ICO over Cambridge Analytica
Facebook could have been fined £17m or four per cent of global turnover if the breach had occurred under GDPR
The Information Commissioner's Office (ICO) has fined Facebook the maximum £500,000 over the Cambridge Analytica affair.
The defunct political consultancy was able to harvest information about millions of Facebook users without their consent when a third-party used a Facebook API to run an app called "This is Your Digital Life", supposedly for academic research purposes.
The Facebook API enabled the organisation not only to scoop-up data about participants of the quiz, who had supposedly given their informed consent, but also the personal information of anyone on their Facebook network, who clearly hadn't.
Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent
Information gathered included public profiles, page likes, dates of birth and location, as well as news feeds, timelines and even messages.
Cambridge Analytica was able to gather the information of up to 87 million Facebook accounts, predominantly in the US, which it subsequently used for psychological profiling and targetted political campaign advertising for its clients.
The fine comes after the ICO issued a Notice of Intent in July, enabling Facebook to make its representations (ie: to appeal against the size of the fine). Today, the ICO has stated that the fine - the maximum allowable under the old Data Protection Act 1998 - will remain.
At least one million UK users was among the harvested data and consequently put at risk of further misuse
"The ICO's investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends' with people who had," said the ICO in a statement today.
It continued: "Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.
Facebook... failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform
"A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US."
Furthermore, even after Facebook discovered the misuse of its API and the level of information exfiltration that had taken place, it did too little to ensure that remedial action was taken, according to the ICO.
"The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse," the ICO added.
Elizabeth Denham, Information Commissioner, said: "Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better."
Under the GDPR, the ICO noted, Facebook could have faced a fine of up to £17 million or four per cent of global turnover.
IT security failings are, increasingly, costing CISOs, CIOs and CEOs their jobs.
With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security.
For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.