U.K. authorities have hit Facebook with the highest possible punishment for its Cambridge Analytica data breach, ordering the social media empire to pay £500,000 ($645,000).
The U.K.’s Information Commissioner’s Office (ICO), the country’s privacy watchdog, said Facebook is responsible for “serious breaches of data protection” that allowed the personal data of more than 87 million Facebook users to fall into the hands of Cambridge Analytica, a data harvester with links to former Trump adviser Steve Bannon and other right-wing extremists.
“A company of its size and expertise should have known better and it should have done better,” said information commissioner Elizabeth Denham in an Oct. 25 announcement.
The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent.
But not only did Facebook permit app developers to access the personal data of app users, it also let them access the data of all the app users’ friends, even if they hadn’t downloaded the app.
Facebook also failed to keep the personal information of its users secure because it failed to make suitable checks on apps and developers using its platform, the ICO said.
“These failings meant one developer, Dr. Aleksandr Kogan, and his company GSR harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US,” the ICO said.
Facebook became aware that the data of its users was being collected and misused in December 2015 but its response to the problem was slow and ineffective
Even after Facebook discovered the data misuse in December 2015, it did not do enough to ensure that Cambridge Analytica and other companies the data went out to had taken proper medial action, including deleting the data. In fact, Facebook did not suspend Cambridge Analytica from its platform until 2018.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR,” Commissioner Denham said, referring to the EU’s General Data Protection Regulations, which were not in place at the time.
The GDPR allows regulators to fine companies up to four percent of their total revenues. Such a fine would have amounted to as much as $1.6 billion under the new rule.
“We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015,” Facebook said in a statement about the small but symbolic fine, which it could appeal.
Facebook said that now that the UK investigation is complete, “we are hopeful that the ICO will now let us have access to [Cambridge Analytica] servers so that we are able to audit the data they received.”