The US$663,850 fine is less that 10 minutes worth of revenue for the social media firm worth US$590 billion, but is the maximum amount allowed and emphasises how regulators are finding fault with Facebook’s business practices.
Facebook CEO Mark Zuckerberg has faced questioning by US and EU lawmakers over how Cambridge Analytica improperly obtained the personal data of 87 million Facebook users from a researcher. The company has promised to introduce reforms to its policies ahead of local elections in Britain next year.
Updating on her investigation into the use of data analytics by political campaigns, Britain’s Information Commissioner’s Office (ICO) said it would fine Facebook, though it can respond to the commissioner before a final decision is made.
Information Commissioner Elizabeth Denham said that Facebook had broken the law by failing to safeguard people’s information and had not been transparent about how data was harvested by others on its platform.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law,” she said in a statement.
The fine is the maximum allowed under Britain’s old data protection law, although that was replaced by the European Union’s General Data Protection Regulation (GDPR) in May, where companies can be fined up to 4% of revenue for breaches.
Facebook said it was reviewing the report and would respond soon.
“As we have said before, we should have done more to investigate claims about Cambridge Analytica and taken action in 2015,” Erin Egan, Facebook’s Chief Privacy Officer, said in a statement.
“We have been working closely with the Information Commissioner’s Office in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries.”
British lawmakers have launched an inquiry into “fake news” and its effect on election campaigns, and have increasingly focused on Cambridge Analytica. The ICO said it was providing the interim report to help that inquiry.
The chair of the parliamentary inquiry Damian Collins said that other apps could also have collected data on users in a similar way to the Cambridge Analytica data.
“Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way,” he said.
Cambridge Analytica, which was hired by Donald Trump in 2016, has denied its work on the US president’s successful election campaign made use of data.
It has also said that, while it pitched for work with campaign group Leave.EU ahead of the Brexit referendum in Britain in 2016, it did not end up doing any work on the campaign.
However, the Information Commissioner’s report said other regulatory action would include a criminal prosecution against Cambridge Analytica’s parent firm, SCL Elections, for failing to deal with the regulator’s enforcement notice.
It also said it would send warning letters to 11 political parties to compel them to audit their data protection practices.
It said it was investigating both leave and remain campaigners in the referendum, and that it had issued an enforcement notice for AIQ, a data firm that worked for official Brexit campaign Vote Leave, to stop processing retained data from British citizens.
David Carroll, an academic who is attempting to recover his data from Cambridge Analytica, said the report strengthened his legal challenge.
“Our day in British court may be within reach,” he told Reuters in an email.
“The fines may seem like rounding errors for Facebook … But if American voters can somehow recover and repatriate our complete voter profiles then democracies will have won the day against dark data.”