The UK’s information regulator has imposed a small but symbolic fine on Facebook for breaches of data protection law after millions of users’ data was improperly accessed by consultancy Cambridge Analytica.
The £500,000 fine is less that 10 minutes worth of revenue for the social media firm worth $590bn, but is the maximum amount allowed and emphasises how regulators are finding fault in Facebook’s business practices.
Facebook chief executive Mark Zuckerberg has faced questioning by US and European politiciansover how Cambridge Analytica improperly got hold of the personal data of 87 million Facebook users from a researcher. The company has promised to introduce reforms to its policies ahead of local elections in the UK next year.
Updating on her investigation into the use of data analytics by political campaigns, Britain’s Information Commissioner’s Office (ICO) said it would fine Facebook, though it can respond to the commissioner before a final decision is made.
Information Commissioner Elizabeth Denham said that Facebook had broken the law by failing to safeguard people’s information and had not been transparent about how data was harvested by others on its platform.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law,” she said in a statement.
In March 2017, the ICO began looking into whether personal data had been misused by campaigns on both sides of the referendum on membership of the EU. In May it launched an investigation that included political parties, data analytics companies and major social media platforms.
Today’s progress report gives details of some of the organisations and individuals under investigation, as well as enforcement actions so far. This includes the ICO’s intention to fine Facebook for two breaches of the Data Protection Act 1998.
Facebook has a chance to respond to the Commissioner’s Notice of Intent, after which a final decision will be made. Other regulatory action set out in the report comprises:
- warning letters to 11 political parties and notices compelling them to agree to audits of their data protection practices;
- an Enforcement Notice for SCL Elections Ltd to compel it to deal properly with a subject access request from Professor David Carroll;
- a criminal prosecution for SCL Elections Ltd for failing to properly deal with the ICO’s Enforcement Notice;
- an Enforcement Notice for Aggregate IQ to stop processing retained data belonging to UK citizens;
- a Notice of Intent to take regulatory action against data broker Emma’s Diary (Lifecycle Marketing (Mother and Baby) Ltd); and
- audits of the main credit reference companies and Cambridge University Psychometric Centre.
Denham added: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes. Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
A second, partner report, titled Democracy Disrupted? Personal information and political influence, sets out findings and recommendations arising out of the 14-month investigation. Among the ten recommendations is a call for the Government to introduce a statutory Code of Practice for the use of personal data in political campaigns.
Denham has also called for an “ethical pause” to allow Government, Parliament, regulators, political parties, online platforms and the public to reflect on their responsibilities in the era of big data before there is a greater expansion in the use of new technologies.
She said: “People cannot have control over their own data if they don’t know or understand how it is being used. That’s why greater and genuine transparency about the use of data analytics is vital.”
In addition, the ICO commissioned research from the Centre for the Analysis of Social Media at the independent thinktank DEMOS. Its report, also published today, examines current and emerging trends in how data is used in political campaigns, how use of technology is changing and how it may evolve in the next two to five years.
The investigation, one of the largest of its kind by a Data Protection Authority, remains ongoing. The 40-strong investigation team is pursuing active lines of enquiry and reviewing a considerable amount of material retrieved from servers and equipment.
The interim progress report has been produced to inform the work of the DCMS’s Select Committee into Fake News. The next phase of the ICO’s work is expected to be concluded by the end of October 2018.
Facebook’s fine is the maximum allowed under Britain’s old data protection law, although that was replaced by the European Union’s General Data Protection Regulation (GDPR) in May, where companies can be fined up to 4% of revenue for breaches.
Facebook said it was reviewing the report and would respond soon. “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” Erin Egan, Facebook’s Chief Privacy Officer, said in a statement.
“We have been working closely with the Information Commissioner’s Office in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries.”
David Carroll, an academic who is attempting to recover his data from Cambridge Analytica, said the report strengthened his legal challenge. “Our day in British court may be within reach,” he told Reuters in an email. “The fines may seem like rounding errors for Facebook. But if American voters can somehow recover and repatriate our complete voter profiles then democracies will have won the day against dark data.”