Facebook Inc. could be fined a symbolic 500,000 pounds ($664,000) by the UK’s privacy regulator after the social network giant failed to prevent key user data falling into the hands of a political consultancy that helped get President Donald Trump elected.
The UK Information Commissioner’s Office is threatening the company with the maximum penalty allowed, it said Wednesday when issuing its first findings in a probe that looked at some 30 organizations, including social media platforms such as Facebook. The tech giant is accused of not properly protecting user data and not sharing how people’s data was harvested by others.
In its report the ICO also said several overseas regulators and agencies had requested updates to help move their own investigations forward.
“Given this, and the high public interest issues raised by this work, this report has been put together to consistently inform all parties as to our progress at this time,” the ICO said.
On a call with reporters, the UK’s information commissioner Elizabeth Denham said the fine “sends a clear signal that I consider this a significant issue, especially when you look at the scale and the impact of this kind of data breach. Facebook has failed to provide the kinds of protections they’re required to do under data protection laws,” she said.
The revelations that data belonging to as many as 87 million Facebook users and their friends may have been misused is a “game changer” in the world of data protection, Denham said. Her office is leading the European investigations into how such an amount of data—most belonging to U.S. and UK residents, she says—could have ended up in the hands of a consulting firm that worked on Donald Trump’s U.S. presidential campaign.
Facebook will get a chance to respond to the proposed penalties before the ICO releases a final decision.
“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” said Erin Egan, Facebook’s chief privacy officer. “We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the U.S. and other countries. We’re reviewing the report and will respond to the ICO soon.”
The ICO’s findings show “the scale of the problem and that we are doing the right thing with our new data protection rules,” EU justice commissioner Vera Jourova said Wednesday, referring to Europe’s new General Data Protection Regulation, in place since May 25.
Under the law, the ICO could have levied a much higher penalty. Violations of GDPR rules may lead to fines of as much as 4% of a company’s global annual sales. For the year ending Dec. 31, 2017, Facebook’s revenue totaled $40.65 billion, meaning it could have faced a maximum fine of about $1.6 billion.
But GDPR only applies to violations committed on or as of May 25 and not retro-actively. Instead, a 500,000-pound ($662,500) fine equates to less than 1% of the $114 million the company generated per day in 2017.
One of Europe’s most outspoken privacy regulators, Johannes Caspar in Hamburg, Germany, said in an email that his office also started an infringement procedure under the previous data protection law against Facebook’s unit in Ireland, its European headquarters. Any decisions here could lead to a maximum fine of 300,000 euros ($352,000), he said.
Denham said her office is now combing through “hundreds of terabytes of data” it gathered at the offices of Cambridge Analytica during searches in March after reports that the firm had obtained swathes of data from a researcher who transferred the information without Facebook’s permission.
The ICO also plans to send warning letters to 11 political parties and will call on them to agree to audits of their privacy practices. Enforcement notices are planned against Cambridge Analytica affiliate company SCL Elections and Canadian company Aggregate IQ, all of which worked closely together.
While Facebook earlier said the data of as many as 2.7 million Europeans might have been shared with Cambridge Analytica, the company last month told EU lawmakers that private data about its European users may not have fallen into the hands of the UK-based data-crunching venture after all. Facebook said it wouldn’t be able to make any firm conclusions on the matter until it conducts its own audit.
UK lawmaker Damian Collins, head of a parliament committee investigating the impact of social media on recent elections, said Facebook needs to be more transparent.
“Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way,” Collins said in a statement. “This cannot be left to a secret internal investigation at Facebook.”Favorite