Facebook strikes deal with ICO over Cambridge Analytica
Facebook to pay £500,000 fine without admission of responsibility
Facebook has reached a deal with the Information Commissioner's Office (ICO) over the misuse of personal data by Cambridge Analytica. The company will pay the £500,000 fine originally proposed by the ICO - the maximum it could legally levy, pre-GDPR - but without acknowledging responsibility.
Facebook had appealed against the sum set out in the ICO's monetary penalty notice. Despite not acknowledging responsibility, it did admit that it could have done more and sooner, and claimed that it regretted not doing so.
ICO deputy commissioner James Dipple-Johnstone said: "The ICO's main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals but also as we now know, for the preservation of a strong democracy."
Cambridge Analytica acquired the personal data of 87 million Facebook users in 2015 via data scientist Aleksandr Kogan, who devised a quiz entitled ‘This is Your Digital Life' in the form of a Facebook app. This app was purportedly devised, and therefore approved by Facebook, for academic purposes, but instead provided by Kogan to Cambridge Analytica.
Furthermore, not only did the app Hoover up the personal information of everyone who took the quiz - all their data, not just their quiz responses - it also collected the personal information of those people's Facebook friends.
In this way, Cambridge Analytica was able to acquire the personal information of some 87 million Facebook users - 70.6 million believed to be in the US. According to Facebook, the exfiltrated information included "public profile, page likes, birthday and current city".
Cambridge Analytica went on to work, briefly, with the presidential campaigns of Ted Cruz and the eventual winner of the 2016 US presidential election, Donald Trump. However, the directors of both campaigns quickly concluded that Cambridge Analytica's technology had been oversold.
President Obama, in 2012, had also used a Facebook app to acquire the personal information, not just of supporters who signed-up for the app, but also their Facebook friends lists.
"If a person signed on to Dashboard [the Obama campaign's 2012 Facebook app] through his or her Facebook account, the campaign could, with permission, gain access to that person's Facebook friends," The Washington Post reported in 2013.
It continued: "The Obama team called this ‘targeted sharing'. It knew from other research that people who pay less attention to politics are more likely to listen to a message from a friend than from someone in the campaign.
"The team could supply people with information about their friends based on data it had independently gathered. The campaign knew who was and who wasn't registered to vote. It knew who had a low propensity to vote. It knew who was solid for Obama and who needed more persuasion — and a gentle or not-so-gentle nudge to vote.
"Instead of asking someone to send a message to all of his or her Facebook friends, the campaign could present a hand-picked list of the three or four or five people it believed would most benefit from personal encouragement."
Facebook has since tightened-up its policies around apps and their access to personal data, belatedly suspending tens of thousands of apps last month. And in contrast to the £500,000 pre-GDPR fine levied by the ICO on Facebook, the US Federal Trade Commission earlier this year hit the company with a $5 billion fine over the affair, which contravened the terms of an earlier consent decree over the misuse of personal data.