Facebook is to be fined £500,000, the maximum amount possible, for its involvement in the Cambridge Analytica scandal, the information commissioner has announced.
The fine is for two breaches of the Data Protection Act. The Information Commissioner’s Office (ICO) concluded that Facebook failed to safeguard its users’ information and that it failed to be transparent about how that data was harvested by others.
“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act,” said Elizabeth Denham, the information commissioner. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
In the first quarter of 2018, Facebook took £500,000 in revenue every five and a half minutes. Because of the timing of the breaches, the ICO said it was unable to levy the penalties introduced by the European General Data Protection (GDPR), which caps fines at the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case, $1.9bn (£1.4bn). The £500,000 cap was set by the Data Protection Act 1998.
The ICO will also bring a criminal action against Cambridge Analytica’s defunct parent company SCL Elections.
The ICO said it will send out warning letters and audit notices to 11 political parties, and will seek a criminal prosecution for SCL, the parent company of the now-defunct controversial political data analytics firm Cambridge Analytica.
The fine on Facebook was unveiled as part of the ICO’s report investigating whether personal data had been misused by political campaigns during the 2016 referendum on the U.K.’s membership of the European Union.