Facebook hit with huge fine for failing to protect its users' privacy

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Facebook has been hit with a huge fine for failing to protect its users' privacy.

The UK Information Commissioner's Office will force the company to pay £500,000 for allowing people to take its users personal data in the Cambridge Analytica scandal.

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data," said Elizabeth Denham, information commissioner. "A company of its size and expertise should have known better and it should have done better.”

The fine is the maximum possible punishment that the ICO can issue, because the Cambridge Analytica breach happened before the new GDPR rules came into effect in May. It was served under the Data Protection Act 1998.

If the breach were to happen now, the ICO would be able to offer far more significant punishment. GDPR allows for a range of tools, including fines of up to £17 million or 4 per cent of global turnover.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation," said Ms Denham. "The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

The Information Commissioner Office found that between 2007 and 2014, Facebook processed the personal information of users unfairly by giving app developers access to their information without informed consent. The failings meant the data of some 87 million people was used without their knowledge.

The ICO said a subset of the data was later shared with other organisations, including SCL Group, the parent company of political consultancy Cambridge Analytica. News that the consultancy had used data from tens of millions of Facebook accounts to profile voters and help U.S. President Donald Trump's 2016 election campaign ignited a global scandal on data rights.

"We are currently reviewing the ICO's decision," Facebook said in a statement. "While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation."

Facebook also took solace in the fact that the ICO did not definitively assert that UK users had their data shared for campaigning. But the commissioner noted in her statement that "even if Facebook's assertion is correct," US residents would have used the site while visiting the UK.

Additional reporting by agencies