The U.K. Information Commissioner’s Office (ICO) has confirmed that it has hit Facebook with a maximum $500,000 ($645,000) fine around the way it mishandled user data following the Cambridge Analytica scandal earlier this year. The introduction of GDPR has given the ICO the power to issue fines of up to £17 million ($22 million) or four percent of a company’s global turnover — that’s potentially up to $1.6 billion in Facebook’s case.
The ICO announced its intention to hand Facebook the fine back in July and it said today that it had not changed its mind after hearing the social network’s responses to key questions raised. In the case of Cambridge Analytica, the ICO found that at least one million UK users were among the 87 million Facebook users whose private data was harvested by Dr. Aleksandr Kogan and his company Global Science Research (GSR).
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” Information Commissioner Elizabeth Denham said in a statement.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people’s personal data,” she added.
While the issue was identified in 2015, GSR and Kogan were not booted from Facebook’s platform until this year. That led the British organization to conclude that beyond failing to “make suitable checks on apps and developers using its platform,” Facebook “did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action.” Indeed, CEO Mark Zuckerberg himself has admitted that the decision was a mistake.