Facebook Receives Maximum ICO Fine for CA Data Breach

In the UK, the Information Commissioner's Office (ICO) has issued the maximum £500k fine to Facebook, for failing to protect users' personal information in the recent Cambridge Analytica (CA) data breach.

Earlier this year, CA was accused of illegally collecting Facebook profiles which could be matched to electoral rolls. The problems centred around data provided by users of a personality quiz app, created by Aleksandr Kogan and his firm Global Science Research (GSR), through which the Facebook data of up to 87 million people was harvested without their knowledge. Some of this data was later shared with CA's parent company, SCL, which was involved in political campaigning in the US.

Even after the misuse of the data was discovered in December 2015, the ICO found that Facebook did not do enough to ensure those who continued to hold the data had taken adequate and timely remedial action. In the case of SCL, Facebook did not suspend the company from its platform until 2018, and the ICO found that the personal information of at least one million UK users was among the harvested data.

The £500k fine is the maximum allowable under the Data Protection Act 1998 which applied at the time the incidents occurred. This law has now been replaced by the new Data Protection Act 2018, alongside the EU's General Data Protection Regulation (GDPR), and under the terms of GDPR, maximum fines would now be £17m or 4% of global turnover. Information Commissioner Elizabeth Denham (pictured) said that Facebook had failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. 'A company of its size and expertise should have known better and it should have done better,' she added.

Web site: www.ico.org.uk .

All articles 2006-23 written and edited by Mel Crowther and/or Nick Thomas, 2024- by Nick Thomas, unless otherwise stated.