The British privacy watchdog has on Thursday fined Facebook its maximum financial punishment for the company’s failure to protect the private information of its users in the Cambridge Analytica scandal.
Facebook received a fine of £500,000 (about $645,000) – the highest punishment the British watchdog can dish out for data breaches, through its Ireland Office from the UK’s Information Commissioner’s Office (ICO). The fine would have been “significantly higher” under the EU General Data Protection Regulations, which took effect in May, said Elizabeth Denham, head of the ICO in a press statement published as monetary penalty notice to Facebook. The new GDPR allow countries in the EU, including the UK to fine companies up to 4% of their global turnover for violating users’ personal data.
With Facebook’s size and level of expertise, it should have done better in protecting the personal information of its users before, during and after the illegal processing of the data, said Denham. Facebook failed sufficiently to regularly check on its apps and develops using its platform, she added.
“These failings meant one developer, Dr. Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge,” the ICO’s statement said. In addition, a subset of the data was shared with third parties, including the British political consultancy, Cambridge Analytica that played a role in pro-Brexit campaigns in the UK as well as Donald Trump’s 2016 presidential run.
The fine is a simple walkover for Facebook despite being the heaviest it could be levied using the outdated 1998 UK’s Data Protection Act. Facebook made $13.2 billion in revenue in the last quarter alone.
Under the new GDPR, the maximum data breach fine could have been around £17 million ($22 million), calculating 4% of Facebook’s last global revenues.
The weight of penalties under the GDPR has forced many tech companies into tightening their privacy laws further. Facebook is reportedly on a shopping spree for a cybersecurity acquisition to prevent further data hacks. The company last week hired former UK deputy prime minister for effective compliance of the new data privacy rules in EU.
The UK’s Information Commissioner’s Office said it would release more evidence in November on the use of the stolen data for political persuasion in the nation’s government.