The social media platform was fined by the UK’s Information Commissioner’s Office for the “serious” data breach, which affected over 80M users.
The ICO’s investigation found that as a result of Facebook allowing personal data to be given to app developers, Aleksandr Kogan and his company GSR was able to harvest the data with some of this information shared with organizations such as Cambridge Analytica parent company SCL.
It noted that event after the misuse of the data was discovered in December 2015, Facebook “did not do enough” to ensure those who continued to hold it had taken adequate and timely remedial action.
The fine was served under the Data Protection Act 1998. However, this was replaced earlier this year by an updated version of this law, which alongside the EU’s General Data Protection Regulation, meaning that Facebook could have been served a maximum fine of £17M or 4% of global turnover.
Elizabeth Denham, Information Commissioner, said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data. Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based,” she added.