The ICO has announced that Facebook will be fined the maximum possible amount of £500,000 for its breaches of the Data Protection Act in relation to the Cambridge Analytica scandal, an amount that pales in comparison with the new fines introduced under GDPR.
We previously blogged on the scandal here. According to the Information Commissioner’s Office latest announcement, Facebook failed to safeguard users’ data by not ensuring the data given to Cambridge Analytica had been deleted and Facebook were not transparent to its users on the ways the data was being harvested.
Had the breaches occurred after the 25th May this year, Facebook would have been subject to the new GDPR fines. These would have amounted to the higher of €20 million (£17 million), or 4% of the company’s global turnover. For Facebook, a fine of 4% of global annual turnover could amount to around £1.4 million.
The ICO’s announcement shows that this kind of breach will need to be treated very seriously in the future, with the ICO also contacting the 11 main UK political parties to direct them to have their data protection practices checked.
Facebook’s Chief Privacy Officer admitted that they could have “done more to investigate claims about Cambridge Analytica” earlier and will be responding to the ICO’s intent to fine in the coming weeks. However, what is clear is that organisations now should not only ensure they have lawful bases on which to process data, but also (as is the intent of GDPR) be transparent with how they use the data.