ICO issues maximum fine to Facebook
ICO issues maximum fine to Facebook for data protection failures
The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law. This marks yet another maximum level fine from the ICO.
The fine was issued to Facebook following an on-going investigation into the use of data analytics for political purposes. The ICO described the investigation as "the most important investigation they have ever undertaken". It has resulted in fines, warning letters being sent to every UK party with an MP in the House of Commons, and notices compelling data protection audits.
What Did Facebook Do Wrong?
The ICO state that Facebook failed on two accounts:
1. They failed to safeguard their users’ information; and
2. They failed to be transparent about how that data was harvested by others.
Overall, Facebook failed to make suitable checks on apps and developers using its platform and failed to keep their users' personal information secure. The personal information of users was processed unfairly as access was allowed without sufficiently clear and informed consent. Facebook even allowed access to the information of users who had not downloaded the app, but were simply ‘friends’ with people who had!
Further, even after the misuse of the data was discovered, Facebook did not do enough to ensure developers took adequate and timely remedial action. The personal information of at least one million UK users was among the harvested data and was put at risk of further misuse.
Would This Fine Be Different Under GDPR?
Almost certainly. The ICO’s rhetoric has been extremely strong in relation to the activity taken by Facebook. Their action (and inaction) has not just had an impact on the lives of individuals but has also influenced the conduct of political parties. There is every reason to think that the fine would have been significantly higher if the breach had occurred under the new laws, being the Data Protection Act 2018 and the General Data Protection Regulation 2016/679. In essence, they say fines can amount to £17 million or 4% of global turnover.
This maximum fine follows the £500,000 Equifax monetary penalty notice in September. This is indicative of a trend which shows that the ICO is more ready than ever to issue large fines where it feels the breach in question merits a strong response.
Is There A Mega Fine On The Horizon?
Quite possibly. We know the ICO has issued its first notice of intent under the GDPR. We also know that it is actively investigating British Airways which lost 380,000 customer’s details in a security breach earlier in the year. And then of course (with perhaps poetic justice), Facebook is back in the ICO’s sights following on from the well publicised breach affecting 50 million accounts worldwide. There is a reasonable chance that either or both of these businesses will attract much larger fines than anything we have seen before.
There is also a further update on the ICO investigation into data analytics for political purposes due on Tuesday 6 November – so watch this space for this particular issue.
If you have any queries regarding anything touched on in this article, or if you would like further information, please contact Matthew Holman, or give us a call on 0345 070 6000. You can find out more about us by clicking here.