The £500,000 fine handed out to Facebook by the Information Commissioner’s Office (ICO) for data protections failings is a pittance. With global annual revenues of around $40bn, the amount is utterly inconsequential to Mark Zuckerberg and his pals.
Consider too that the apparent failure by Facebook to ensure that Cambridge Analytica had deleted data harvested from users affected up to 87 million people. In that context as well, a fine of half a million quid – which will be confirmed, or not, once Facebook has responded to the ICO’s findings – seems like small beer.
To recap, the ICO launched its investigation on the back of revelations by the whistle-blower Christopher Wylie, a former employee of Cambridge Analytica (a political consulting firm based in London). He described how the company had bought data about Facebook users which had been scraped by a quiz app. This included information not only of those people who took the quiz but also friends in their Facebook network, who were entirely unaware of what was happening.
Wylie says the data was subsequently used by Cambridge Analytica to assist Donald Trump’s election campaign by targeting individuals with pro-Trump material. Cambridge Analytica, which filed for bankruptcy in the wake of the scandal, denies that the data was used in this way.
Facebook, meanwhile, says it told Cambridge Analytica to delete the data back in 2015 when claims about its use first surfaced. The ICO’s report concludes that the deletion may not have been properly completed.
Plainly the conclusions of the ICO raise some significant questions, and not only for Facebook. Elizabeth Denham, the Information Commissioner, has written to all the UK’s political parties requiring them to carry out a data protection review, in light of concerns about the way data has been bought from third party brokers which may not have had the appropriate permissions.
Certainly it seems that anxieties about the way the US presidential election – and perhaps the Brexit referendum – were influenced by the opaque targeting of voters by political campaigns (and by others with an interest in the outcome of those polls) is coming home to roost. What’s more, the ICO’s powers will, in future investigations, be rooted in the Data Protection Act 2018, which takes into account new European rules (GDPR). Penalties for major breaches will no longer be limited to £500,000 but instead will be able to run to 4 per cent of a firm’s annual turnover (or €20m, whichever is larger). That might concentrate minds further.
Transparency is fundamental if there is to be a step change in the way data is harvested, shared, sold and used. That is a point well made by the ICO’s report, especially in relation to political campaigns: people may not mind being targeted by political parties or causes but they want to know who is behind the messages they receive. Increasingly, internet users are conscious of the way they can be tracked, profiled and selected by advertisers, marketeers and political campaigners. In this climate it seems inevitable that the ICO will have more cases to deal with (whether it is sufficiently resourced to handle a significant uplift in its work is another matter).
But can the data genie be stuffed back in the bottle at this stage of the game? The truth is, modern society is now so indebted to, and reliant on, data analytics that we would barely function without its benefits. We work online, we socialise online, we bank and shop online, we consume news and entertainment online and we seek out information that we believe will interest us there. All of those things are made easier by the way our data footprint allows us each to create an online ecosystem in which the constituent parts of our web lives are inextricably linked with one another.
What’s more, data has become utterly fundamental to the commercial success of the firms which dominate the internet. New data protection regulations (and increased penalties for breaches) may encourage improved safeguards, but such is the value of our personal information that boundaries will inevitably be pushed. And there are plenty of shadowy operators who will remain out of the reach of the ICO, or authorities elsewhere. The danger posed by hackers is another issue altogether.
The Cambridge Analytica affair and Facebook’s fine will have heightened the public’s awareness of how integral data is to the globalised world. But the only way to ensure beyond doubt that personal data cannot be abused is to not share it with any third party who will store it digitally: and that, in 2018, is more or less impossible.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies