In this March 29, 2018, photo, the logo for Facebook appears on screens at the NASDAQ MarketSite in New York's Times Square. (RICHARD DREW / AP)
Facebook Inc could be fined 500,000 pounds (US$664,000) by the UK’s privacy regulator after the social-network giant failed to prevent key user data falling into the hands of a political consultancy that helped get President Donald Trump elected.
Facebook will get a chance to respond to the proposed penalties before the ICO releases a final decision
The UK Information Commissioner’s Office (ICO) is threatening the company with the maximum penalty allowed, it said Wednesday when issuing its first findings in a probe that looked at some 30 organizations, including social-media platforms such as Facebook. The tech giant is accused of not properly protecting user data and not sharing how people’s data was harvested by others.
“Facebook has failed to provide the kinds of protections they’re required to do under data protection laws,” Information Commissioner Elizabeth Denham said on a call with reporters. The fine “sends a clear signal that I consider this a significant issue, especially when you look at the scale and the impact of this kind of data breach.”
The revelations that data belonging to as many as 87 million Facebook users and their friends may have been misused is a “game changer” in the world of data protection, Denham said. Her office is leading the European investigations into how such an amount of data - most belonging to US and UK residents, she says - could have ended up in the hands of a consulting firm that worked on Donald J Trump’s US presidential campaign.
Facebook will get a chance to respond to the proposed penalties before the ICO releases a final decision.
“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” said Erin Egan, Facebook’s chief privacy officer. “We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”
The ICO could have levied a much higher and potentially more painful penalty under new European Union rules in place since May 25, where violations could lead to fines of as much as 4 percent of a company’s global annual sales. But the law only applies to violations committed on or as of that date and not retro-actively. That’s why the ICO’s intended fine is capped at the maximum of 500,000 pounds that it could levy under previous privacy rules.
While Facebook earlier said the data of as many as 2.7 million Europeans might have been shared with Cambridge Analytica, the company last month told EU lawmakers that private data about its European users may not have fallen into the hands of the UK-based data-crunching venture after all. Facebook said it wouldn’t be able to make any firm conclusions on the matter until it conducts its own audit.
“What matters is us looking at Facebook’s responsibility in terms of the platform,” Denham told reporters in response to the company’s claims. “We know that 87 million profiles around the world were collected through just 320,000 actual users of the app.”
Denham said her office is combing through “hundreds of terabytes of data” it gathered at the offices of Cambridge Analytica during searches in March after reports that the firm had obtained swathes of data from a researcher who transferred the information without Facebook’s permission.
The probe of the ICO goes much further than just Cambridge Analytica and it’s become “a much broader exercise to take a systemic look at the issues.”
ALSO READ: Facebook to end partnership with Huawei
The ICO also plans to send warning letters to 11 political parties and will call on them to agree to audits of their privacy practices. Enforcement notices are planned against Cambridge Analytica affiliate company SCL Elections and Canadian company Aggregate IQ, all of which worked closely together.
The ICO said it has “reason to believe that that data may still be retained by Aggregate IQ” and the notice is to stop it from using any data relating to UK voters.
“It’s an important moment for data protection,” said Denham. “Very few people had an awareness of how they can be micro-targeted, persuaded or nudged in a democratic campaign, in an election or a referendum.”