Facebook has been stung with the maximum possible fine by Britain’s privacy watchdog for the Cambridge Analytica scandal.
The UK’s Information Commissioner’s Office fined Facebook £500,000 ($645,000), the highest punishment it can dish out for a data breach.
The ICO said in July that it intended to level the fine on Facebook after Cambridge Analytica exploited the data of 87 million users harvested by developer Dr Aleksandr Kogan.
Confirmation of the penalty came on Thursday, with Information Commissioner Elizabeth Denham saying: “A company of its size and expertise should have known better and it should have done better.”
The fine is, of course, tiny in the context of Facebook’s revenues of more than $40 billion. Denham said it would have been much higher had Europe’s GDPR rules been in force. GDPR allows data watchdogs to fine companies up to 4% of their global turnover, which in Facebook’s case would be $1.6 billion.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR,” she said.
“One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
Facebook can appeal the fine. A spokesman said:
“We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
“We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”
The ICO’s 27-page penalty notice can be read here. In summary, the ICO said Facebook failed to protect users by allowing developers access to data without clear and proper consent between 2007 and 2014.
This allowed Kogan and his company GSR to harvest information, which was ultimately weaponized by Cambridge Analytica during the 2016 presidential election in the US.
Even after the breach was discovered in 2015, the ICO said Facebook did not take sufficient action to ensure those who held the data deleted it.