Tag Archives: ICO

Facebook Fined For Cambridge Analytica Fiasco



The UK’s Information Commissioner’s Office (ICO) has fined Facebook GB£500,000 for data breaches relating to the Cambridge Analytica scandal. That’s about  US$650,000. The ICO’s investigation into the activities of Facebook is highly critical of Facebook’s laissez-faire approach to user’s data.

For seven years, Facebook failed to stop application developers taking users’ information without informed consent, and allowed capture of the information even when people were only friends with others who had downloaded particular apps. For example, person A would download a survey app to their phone or tablet which then needed Facebook credentials and permissions to proceed. Once he or she had given access, the survey app then collected data on all their Facebook friends without the agreement of the friends.

Using this loophole, one app developer gathered the Facebook data of up to 87 million people worldwide despite only a small fraction of these downloading the app. Part of this data was subsequently shared with other organisations, particulary SCL Group, the parent company of Cambridge Analytica.

The ICO was also scathing about Facebook’s response after the abuse of friend data was uncovered in late 2015, noting that it failed to ensure that data was deleted and didn’t kick SCL off Facebook until 2018.

Elizabeth Denham, Information Commissioner, said “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

The £500,000 fine is the maximum penalty under the previous regulations and had the offence occurred under the GDPR framework, the fine would have been much higher. The Commissioner went on, “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

In a week where Apple’s CEO called for GDPR-style regulations in the US, there’s a clear need for greater regulation of social media organisations and the world-wide protection of people’s information.

Camera image by Paweł Czerwiński on Unsplash


ACS Law Boss Fined By ICO



The UK’s Information Commissioner’s Office today announced that it was fining Andrew Crossley of the now defunct ACS Law £1,000 for failing to keep secure sensitive personal information about 6,000 people.

The Information Commissioner, Christopher Graham, was particularly critical saying, “The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”

If ACS Law had still been trading, the fine could have been as high as £200,000. As Andrew Crossley was trading as a sole trader under the name ACS Law, it falls on him to pay as an individual.

Previously, ACS Law had been pursuing alleged copyright infringers on behalf copyright holders, including some from the adult entertainment industry. Its main tactic had been to send out letters to the alleged infringers, “encouraging” them to settle outside of court. Apparently over £1 million was raised through this tactic with 65% of the money going to ACS Law and only 35% going to the copyright holders (as reported by the BBC.)

Last year ACS Law’s IT systems were attacked by a distributed denial of service attack (DDoS) which brought down their website. When the site was restored, for a short time a backup file was easily available for download by anyone. This file contained Excel spreadsheets with information on around 13,000 alleged file sharers, including those accused of downloading pornography.

More from the press release…The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.

Overall, a pretty damning report. However, even if ACS Law is no longer trading, one can’t help feel that Andrew Crossley’s £1,000 fine is too small given that around £650,000 was raised by ACS Law by threatening alleged copyright infringers with legal action. I wonder what the average cost to settle was in comparison?


Code of Practice for Privacy Protection



The UK’s Information Commissioner’s Office has published a pair of  guides about holding personal information online.  The first guide is a Code of Practice aimed at organisations, particularly, those that sell goods and services over the web and is to help them understand the data protection law and develop good practice.  The second is for individuals and is Protecting Your Personal Information Online.

The Information Commissioner’s Office is an independent body setup to promote and police the UK’s information legislation including the Data Protection Act and the Freedom of Information Act.

The new Code of Practice has several sections including how the law applies, how to operate internationally, individuals’ rights and pitfalls to avoid.  It also includes a number of special cases, e.g. when dealing with children.

The personal guide provides information on protecting your personal info and identity, online scams, cookies, browser settings and social networks.  Definitely worth a read, even if you are not UK-based.  It’s all good sensible stuff.

What’s been stirring the media is that for the first time the ICO has commented on “behavioural marketing”, i.e. adverts are tailored to your browsing activity.  There had been some debate about the legality of this but as long as its clear what is going on and the person can opt out, there’s no problem.  There’s more information on behavioural marketing here.

Regardless of whether you are in the UK or elsewhere or whether you are a supplier or a customer, it’s worth giving both guides a browse.