Skip to content ↓ | Skip to navigation ↓

The Information Commissioner’s Office (ICO) has issued a fine of £500,000 to Facebook for the the data scandal involving Cambridge Analytica.

On 25 October, the ICO confirmed it had issued the fine after notifying Facebook of its intention back in July. The United Kingdom’s independent authority subsequently heard representations from the social media giant. But it ultimately decided to not change the penalty.

Elizabeth Denham, the United Kingdom’s Information Commissioner, explained how the fine reflects the fact that “Facebook failed to sufficiently protect the privacy of its users.” She also noted that “A company of its size and expertise should have known better and… should have done better.” As quoted in a statement:

We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

According to the ICO’s investigation, Facebook granted application developers the ability to access its users’ data without clear consent. The social media giant also failed to impose checks on developers and apps using the platform, the agency found. This oversight enabled a developer to harvest the data of up to 87 million Facebook users and share at least part of this data with Cambridge Analytica, a political consulting firm which was active during the 2016 U.S. presidential election.

The Information Commissioner’s Office also discovered that Facebook had neglected to properly remediate these issues after the data misuse was discovered in December 2015.

The fine is the maximum amount that the ICO can impose under the Data Protection Act 1998. In 2018, this framework was replaced with the Data Protection Act 2018 along with the European Union’s General Data Protection Regulation (GDPR). Under those new regulations, the agency can impose fines of up to £17 million or 4 global annual turnover, whichever is higher.

Click here to read the ICO’s full monetary penalty notice for Facebook.