Today the Information Commissioner’s Office (ICO) in the UK announced that it was slapping Facebook with a £500,000 ($644,413) fine for “serious breaches of data protection law.”
An ICO investigation found that between 2007 and 2014, Facebook “processed the personal information of users unfairly” for a number of reasons related to data protection and data consent.
It’s not the first fine Facebook has been handed, having previously had to pay up to the EU for its shady tax affairs, but it is one of the first for its inappropriate use of user data. So, what does this mean for Facebook? What does it mean for social networks? And why’s the fine so darned small?
Why Did Facebook Get Fined?
It’s all to do with Cambridge Analytica, the data analytics company believed to have helped propel Trump to the White House and push the UK out of the EU.
During the ICO’s investigation of Facebook, it found that:
- “Facebook processed the personal information of users unfairly by allowing [app developers] access to their information without sufficiently clear and informed consent.”
- Facebook was also “Allowing access [to user data] even if users had not downloaded the app, but were simply ‘friends’ with people who had.”
- Facebook “Failed to keep the the personal information secure because it failed to make suitable checks on apps and developers using its platform.”
These failings allowed Dr Aleksandr Kogan, a Moldovan-born data scientist, and his company GSR to create the app which harvested the Facebook data of up to 87 million people around the world without their knowledge.
Some of this data was then shared with organisations including Cambridge Analytica, which went on to use it for targeted political campaigning in the US.
But Facebook’s big failing was that even after it discovered the misuse of data in December 2015 it didn’t take nearly enough action to put a stop to it. In fact, Facebook didn’t suspend Cambridge Analytica’s parent company, SCL Group, from the platform until March this year.
All told, it’s a big black mark against Facebook. It didn’t do enough to protect its users’ data, and when it found out the data was being misused, it didn’t act quickly or fully enough to stop it.
Why Was the Fine so Small?
Basically, Facebook got lucky. As the incidents took place before May 2018, the ICO couldn’t operate under the new EU-wide GDPR rules; instead, it had to work under the UK-specific Data Protection Act 1998.
This bit of legalese basically means that the ICO could only issue Facebook a fine of up to £500,000. The agency first announced that it planned to punish Facebook in July, and despite the social network’s efforts to fight the agency’s decision, the ICO went ahead with the fine.
If the ICO had been able to prosecute Facebook under the new GDPR ruling, the consequences would have been severe. The maximum fine allowed under GDPR is either £17 million (nearly $22 million) or 4% of global turnover; in Facebook’s case, this could run to several billion dollars.
What is the ICO?
The ICO, according to its website, is “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”
In practice, it’s the authority’s job to cast a watchful eye over the way companies, organizations and UK government institutions use data.
So if a company collects personal data from inside the UK, or from people in the UK, the ICO should — in theory — be watching it.
Read More About Dodgy Data Use: