Facebook has reached a settlement with the U.K.’s Information Commissioner’s Office (ICO) over Facebook’s role in the misuse of users’ personal data in the lead up to the 2016 European Union (EU) membership referendum.
Following an investigation that started in 2017, the ICO hit Facebook with a £500,000 ($644,000) fine last October over its failure to prevent controversial data analytics firm Cambridge Analytica from improperly accessing user data. Facebook argued that even by the ICO’s own admission, there was no evidence to suggest that any private Facebook users’ data was used by Cambridge Analytica, Cambridge University academic Dr. Aleksandr Kogan, or any affiliates to target voters in the build up to the Brexit vote, and thus it planned to appeal the fine.
The ICO argued that the fine was justified regardless, because Facebook’s U.K. members’ data was put at risk and the tech firm did little to address the problem even after it had become aware of it. As part of the settlement which was announced this morning, Facebook will agree to pay the fine without having to admit any liability or wrongdoing. Both the ICO and Facebook will pay their own legal fees.
“The ICO welcomes the agreement reached with Facebook for the withdrawal of their appeal against our Monetary Penalty Notice (MPN) and agreement to pay the fine,” noted ICO deputy commissioner James Dipple-Johnstone. “The ICO’s main concern was that U.K> citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy.”
It’s worth noting here that Facebook was fined the maximum possible by the ICO under the 1998 Data Protection Act that was in place at the time. However, with the new General Data Protection Regulation (GDPR) that came into force across the EU last year, Facebook’s fine would likely have been significantly higher today. By way of example, Google was hit with a €50 million ($57 million) GDPR fine by French data privacy body CNIL back in January over a “lack of transparency” and “inadequate information” about how ads are personalized for each user. Elsewhere, British Airways was slapped with a (provisional) $230 million fine over a huge data breach, while Marriott received a $127 million penalty for a similar breach.
While the value of the fine is a drop in the ocean relative to Facebook’s revenues, the company was clearly keen to fight the liability facet of the case so that it wouldn’t set a precedent for other regulators to follow. That said, Facebook is facing significant scrutiny elsewhere, and recently settled with the U.S. Federal Trade Commission (FTC) to the tune of $5 billion over the way it mishandled user privacy in relation to Cambridge Analytica. As part of the deal, the FTC absolved Facebook executives from liability over allegations that the company had violated a previous privacy order.
“As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015,” added Facebook general counsel Harry Kinmonth. “We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information. The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr Kogan.”