U.K. Slaps Maximum Fine of $645,000 on Facebook for Privacy Violations

Xconomy San Francisco — 

The U.K.’s data privacy regulator fined Facebook $645,000 for violations that allowed political marketing firm Cambridge Analytica and other outside companies to extract 87 million Facebook profiles worldwide without adequate user knowledge or consent.

The purpose of the U.K.’s enforcement actions is to change the behavior of organizations that mishandle the sensitive private information of individuals, but the fine announced Thursday represents a minuscule fraction of Facebook’s (NASDAQ: FB) earnings. The company’s net income in the second quarter alone was more than $5 billion.

The Information Commissioner’s Office (ICO) imposed the maximum penalty under U.K. laws that were in effect during the period between 2007 and 2014, when Facebook opened broad access to the personal data of users to third-party application developers, even if those users had not downloaded the app but were merely connected as friends to someone who had, the agency found. Facebook took inadequate steps to regain control of the extracted data after its misuse was discovered in 2015, the ICO concluded.

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data,” Information Commissioner Elizabeth Denham said in a written statement. “A company of its size and expertise should have known better and it should have done better.”

After hearing Facebook’s account of the events, the ICO carried out the intent it had signaled in July—to levy the highest fine under its power. But Denham said the civil penalty would have been more severe under the new authority gained by the agency in May, when it could begin enforcing the U.K.’s Data Protection Act 2018 and the EU’s stringent General Data Protection Regulation (GDPR).

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation,” Denham stated. “The fine would inevitably have been significantly higher under the GDPR.”

Under provisions of the GDPR, companies that violate data privacy protection requirements can be fined as much as $21.7 million, or 4 percent of a company’s annual global revenue. The U.K. is implementing the GDPR, even though it is in the process of withdrawing from the European Union for other purposes.

The ICO said it found, based on Facebook’s statements, that as many as 1,765 Facebook users in Great Britain used an app offered by Aleksandr Kogan and his company Global Science Research (GSR). Through these users, Kogan and GSR were able to obtain personal data of at least a million Facebook users in the U.K. According to the ICO filing, Kogan and GSR shared this data, or information derived from it, with SCL Elections Limited, the parent company of Cambridge Analytica. These companies were then at liberty to use the personal data in political campaigns, the agency says.

Cambridge Analytica was suspected of influencing voter opinion using personal profiles during the 2016 U.S. presidential election. The U.K. has also been investigating the use of social media in the campaign over the “Brexit” vote, which tipped in favor of ending its membership in the EU.

Facebook responded to the ICO action with a written statement:

“We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.”

But Facebook said the regulatory body has not proven that Cambridge Analytica had access to the data.

“We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest U.K. Facebook users’ data was in fact shared with Cambridge Analytica. Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.’’

Facebook’s user numbers are likely to be closely scrutinized when the company releases its third quarter earnings report on Oct. 30. According to a Recode report, younger people were already dropping away from Facebook before the revelations early this year that Facebook had allowed app developers, including Cambridge Analytica, to easily export user data.

The company has been called on the carpet this year by U.S. lawmakers as well as European authorities for its privacy policies and its role in spreading false and divisive messages. On top of that, Facebook revealed in September that hackers had invaded the network and gained access to the personal data of almost 50 million users, the New York Times reported.

In its second quarter report on July 25, Facebook said it had a global average of 1.47 billion daily active users in June—11 percent more than the same period in 2017. But the company didn’t gain users in North America, and the numbers dipped in Europe, according to CNBC.

The company’s share price, which closed at $217.50 on the day of the report, dropped nearly 19 percent the next day, despite the company’s 42 percent rise in revenue and 31 percent gain in net income compared to the same quarter of 2017. The company signaled that those revenue increases could slow down, however. That could be in part because stricter privacy regulations might make it harder to sell advertising services targeted to individuals based on their personal characteristics, TechCrunch reported. Facebook lost more than $100 billion in market capitalization in the stock market dive, and its share price has trended downward since. The shares closed at $150.95 on Thursday.

Meanwhile, Congress and European authorities are still mulling further action and possible new regulations. The ICO is still pursuing a wider investigation into the political impact of social media and data analytics in election campaigns.

“Our work is continuing,” Denham said. “There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”

Photo Credit: Depositphotos