ICO issues £500,000 fine against Facebook for Cambridge Analytica scandal

To give a little background, in March of this year, an exposé published in the Guardian and New York Times revealed that the personal data of 87 million Facebook users, 1 million of which were UK Facebook users, was harvested from their profiles through personality quizzes and sold to Cambridge Analytica. Personal data was not only collected from those who participated in the quizzes, but also from the profiles of their Facebook “friends” without any notice or consent. Cambridge Analytica then used the data to develop targeted political advertisements to consumers to allegedly influence the outcome of both the 2016 presidential election in the US as well as the Brexit vote in the United Kingdom.

After months of investigation, the UK’s data protection authority, the Information Commissioner’s Office (ICO), has issued the maximum possible penalty against Facebook for its participation in the violations. Violations included the unfair processing of personal data as well as a lack of appropriate technical measures to protect the data from unauthorized or unlawful processing. As such, regulators stated that Facebook discovered the issue in December 2015 but failed to “do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion.”

These violations occurred before the European Union’s General Data Protection Regulation (GDPR) went into effect and therefore, Facebook was charged for violations against the GDPR’s predecessor in the UK, the Data Protection Act of 1998. Violations under this regulation were subject to a maximum penalty of just £500,000. Had these violations occurred after the GDPR enforcement date, Facebook would be facing a much higher penalty as the GDPR provides fines of up to €20 million or 4% of annual turnover for violations. To put that into perspective, Facebook’s revenue reached $40.7 billion in 2017, which means that Facebook could be facing a maximum fine of roughly $1.63 billion for violations under the GDPR.

Although Facebook’s penalty was relatively low, reputational costs could be high. Since the recent enactment of various privacy regulations, including the GDPR and California’s Consumer Privacy Act (CaCPA), consumers worldwide have become more aware of who has their personal data and what is being done with that data. Organizations must account for these costs in addition to the potential high monetary cost for violations of the GDPR and ensure they are as transparent as possible when collecting and processing personal data. This means ensuring privacy policies are updated to disclose why personal data is collected and developing a monitoring program to ensure processors and sub-processors are comply with service contracts and adhere to their respective obligations under the GDPR.

To read the full penalty notice from the ICO, please click here.

If you have questions about this enforcement or want to learn more about how CompliancePoint can help you establish a privacy program, please email consulting@compliancepoint.comwith attention to Matt Dumiak.




Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.