The ICO intends to fine Facebook a maximum £500,000 for two breaches of the Data Protection Act 1998. The UK data protection regulator is investigating use of data analytics in political campaigns. In March 2017, the ICO began looking into whether personal data had been misused by campaigns on both sides of the referendum on membership of the EU. In May it began an investigation that included political parties, data analytics companies and major social media platforms.
Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million. The ICO concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.
Information Commissioner Elizabeth Denham said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes. New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.
Comments
Christopher Littlejohns, EMEA manager at software security company Synopsys, said “The intended £500K fine imposed on Facebook for the Cambridge Analytica scandal is a salutary lesson to companies operating within the European region. The underlying contraventions are considered by regulatory authorities to be on the top end of the scale of violations of data privacy. Should this or a similarly grave issue happen now, fines within the new GDPR regime could easily cost Facebook $100’s of Millions of Dollars of revenue.
“Such fines are potentially so large they can significantly affect operating margin, and ultimately share prices of large companies. Personal data collectors and aggregators are particularly at risk to these issues, due to the scale and value of the data they collect; and consequently should be extremely vigilant and diligent in their custodianship of such data.
“Companies that do not undertake effective risk analysis, data privacy management, ongoing diligence, and open communication with users and authorities when breaches occur will potentially face severe business impediments at best, and existential threats at worst.”
And Rachel Aldighieri, MD of the DMA (Direct Marketing Association) said: “This is the first time the ICO has said it will issue the maximum fine available to it under the Data Protection Act 1998, which only goes to show the significance and potential impact to consumer privacy the regulator believes is involved in this case. The news of the intention to fine Facebook comes from a detailed update from the regulator on its ongoing investigation into the use of data analytics in political campaigns, so while there may some time to go until the penalties are finalised the intent from the ICO is clear. It’s encouraging to see the ICO is also not allowing Cambridge Analytica, and its associated businesses, to avoid justice through insolvency and it will still be holding the senior management of these businesses to account.
“Under the new GDPR regulations, brought into UK law in the recent Data Protection Act 2018 that came into force on 25 May, the penalties available to the ICO could have been even more severe – 4pc of an organisation’s global annual turnover or €20m, whichever is higher. However, the potential impact of data breaches and privacy concerns like this go far beyond the monetary penalties, the long-term effects on customer trust, share price and public perception of breaking the law could be even more damaging in the long run.
“All businesses must be upfront and transparent about how they collect and use their customers’ data. The benefits of sharing data must also be clear and the consumers must be in control. We know people want this – recent DMA research found 88pc of people in the UK want more transparency around how their data is used. We outline how businesses can do this in our own Code, which calls for all DMA UK members to be accountable for how they use personal data. This is a key challenge that all businesses need to address if they are to build trust with consumers and long-term relationships that can benefit both the business and the customer.”
