Timing is everything. If Facebook’s recent indiscretions around data privacy had taken place after the arrival of GDPR, it would have been looking at a potential fine of €20 million.
As it is, the US firm has gotten off with a fine from the UK Information Commissioner’s Office of £500,000 - the maximum penalty possible, but given Facebook’s turnover, essentially nothing more than a rap on the corporate knuckles.
The ICO says in a statement this morning:
Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends' with people who had. Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform.
Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.
Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.
Got off lightly
Information Commissioner Elizabeth Denham made a point of picking up on how much more robust the punishment meted out would have been under a GDPR-regime:
We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data. Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.
For its part, despite getting off lightly, Facebook continues to push its luck, saying:
We are currently reviewing the ICO's decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica.
What the ICO statement actually said was:
The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.
And Denham’s comment on Facebook was:
Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.
Denham is next due to give evidence to the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) Select Committee on 6 November.
The ICO fine comes 24 hours after Facebook’s privacy chief Erin Egan told a conference in Brussels that the firm supported calls for a ‘GDPR-US’ regime. Such a statement of co-operation is nicely timed as Members of the European Parliament meet with Justice Commissioner Vera Jourová tomorrow to discuss regulating Facebook in Europe.
It’s likely they will call for European authorities to carry out a full audit of Facebook’s practices and to insist on changes to the platform to comply with EU law, based on a resolution passsed by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE). LIBE Committee Chair Claude Moraes explains:
This resolution makes clear that we expect measures to be taken to protect citizens’ right to private life, data protection and freedom of expression. Improvements have been made since the scandal, but, as the Facebook data breach of 50 million accounts showed just last month, these do not go far enough.
And while the UK may have taken its action, Facebook still faces big problems in Ireland where the country’s data protection authorities have opened up a probe into a security breach that affected as many as 50 million accounts - and this one does fall under GDPR!
A token rap on the knuckles, but a necessary statement of intent by the UK. It’s up to Ireland and others to take this on to the next step.