Global Compliance , Governance & Risk Management , Privacy
Facebook Agrees to Pay UK Fine in Cambridge Analytica CaseBritish Authorities Found Social Media Company Violated Privacy Laws
After months of appeals, Facebook has agreed to pay £500,000 ($643,000) to settle claims that it violated U.K. privacy laws by allowing Cambridge Analytica - a now-defunct digital marketer that focused, in part, on political campaigns - to access the personal data of 87 million of its users.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The fine is the maximum that the Information Commissioner's Office, Britain's top privacy watchdog, could bring under the law, because the incident happened in 2015, before the European Union's tougher General Data Privacy Regulation went into effect.
Although it agreed to pay the fine, Facebook did not admit any liability in the case. And the social media company can keep documents that investigators obtained as part of the investigation, according to the ICO.
Facebook intends to use those internal company documents as part of its own investigation into the Cambridge Analytica scandal, the ICO says.
We have published a statement on an agreement reached between Facebook and the ICO.— ICO (@ICOnews) October 30, 2019
➡️ https://t.co/SlVb7wmrP6 pic.twitter.com/Iho9I1klse
"Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy," says James Dipple-Johnstone, a deputy commissioner with the ICO. "We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection."
Cambridge Analytica Fallout
The ICO fine is one of several that Facebook has agreed to pay since the Cambridge Analytica scandal first came to light following a series of articles in the Guardian starting in 2017.
In July, the U.S. Federal Trade Commission and the Justice Department announced a record-setting $5 billion fine as part of a settlement agreement with Facebook concerning the misuse of users' personal data and information. In addition, CEO Mark Zuckerberg agreed to implement new privacy and data protection measures for users of its social media platforms (see: It's Official: FTC Fines Facebook $5 Billion).
Around the same time, Italy's data protection regulator slapped Facebook with a $1 million fine.
In its settlement with the ICO on Wednesday, Facebook executives acknowledged that the company should have done more to investigate how Cambridge Analytica was using its customers' data.
"As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015," says Harry Kinmonth, director and associate general counsel at Facebook. "We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information."
Britain's IOC first began investigating Facebook's role in the Cambridge Analytica scandal in 2017 (see: Facebook Slammed With Maximum UK Privacy Fine).
Investigators in the U.K. and elsewhere found was that Cambridge Analytica obtained about 87 million users' profile data from Aleksandr Kogan, a Cambridge University lecturer who deployed a quiz app on Facebook around 2013.
That app, called "This is Your Digital Life," collected the personal information for those who used it as well as that of their friends, who had not provided their consent. Facebook allowed that kind of data collection at the time, but the social networking firm later changed its rules to forbid it.
Of the 87 million users profiles collected during this time, about 1 million of those belonged to U.K. residents, according to the ICO's investigation.
Cambridge Analytica reportedly used the data to develop psychographic profiles that could be used for political advertising. The company, which worked for a few months for President Donald Trump's campaign and filed for U.S. bankruptcy in May 2018, denied the data was useful.
On Oct. 24, 2018, the ICO concluded its investigation and issued the £500,000 fine against Facebook. Previously, the only other company hit with that size fine was Equifax, for the failures that led to a massive data breach in 2017.
After the ICO announced the fine, Facebook spent months appealing the ruling until the company and the privacy watchdog settled on Wednesday. In his statement, Facebook's Kinmonth said the company would continue to cooperate with the ICO into other investigations looking at the use of personal data for political purposes.