The UK’s Information Commissioner’s Office (ICO) has fined Facebook GB£500,000 for data breaches relating to the Cambridge Analytica scandal. That’s about US$650,000. The ICO’s investigation into the activities of Facebook is highly critical of Facebook’s laissez-faire approach to user’s data.
For seven years, Facebook failed to stop application developers taking users’ information without informed consent, and allowed capture of the information even when people were only friends with others who had downloaded particular apps. For example, person A would download a survey app to their phone or tablet which then needed Facebook credentials and permissions to proceed. Once he or she had given access, the survey app then collected data on all their Facebook friends without the agreement of the friends.
Using this loophole, one app developer gathered the Facebook data of up to 87 million people worldwide despite only a small fraction of these downloading the app. Part of this data was subsequently shared with other organisations, particulary SCL Group, the parent company of Cambridge Analytica.
The ICO was also scathing about Facebook’s response after the abuse of friend data was uncovered in late 2015, noting that it failed to ensure that data was deleted and didn’t kick SCL off Facebook until 2018.
Elizabeth Denham, Information Commissioner, said “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
The £500,000 fine is the maximum penalty under the previous regulations and had the offence occurred under the GDPR framework, the fine would have been much higher. The Commissioner went on, “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
In a week where Apple’s CEO called for GDPR-style regulations in the US, there’s a clear need for greater regulation of social media organisations and the world-wide protection of people’s information.