UK ICO Fines Facebook £500,000

On Oct. 25, UK ICO fined Facebook for data protection failures.

  • Follows ICO Jul. 2018 issued update on political data investigation.

Fine Issued

  • Facebook fined £500,000 (the maximum allowable under the laws which applied
    at the time the incidents occurred) for serious breaches of data protection law.
  • Due to timing dealt with under Data Protection Act 1998, not GDPR and 2018 Act.
  • In Jul. 2018, the ICO issued a Notice of Intent to fine Facebook as part of a wide
    ranging investigation into the use of personal data analytics for political purposes.
  • After considering representations, fine issued and amount will remain unchanged.


  • Between 2007 and 2014 Facebook processed users' personal information unfairly
    by allowing application developers access to information without clear consent.
  • Facebook also failed to keep users' personal information secure because it failed
    to make suitable checks on applications and developers using its platform.
  • One developer harvested the Facebook data of up to 87mn people worldwide.
  • Data later shared with other organisations, including SCL Group, parent company of Cambridge Analytica who were involved in political campaigning in the USA.
  • Following discovery in Dec. 2015 of misuse of data, Facebook did not do enough
    to ensure adequate/timely remedial action was taken, including deletion of data.
  • For example, Facebook did not suspend SCL Group from its platform until 2018.
  • ICO found that the personal information of at least 1mn UK users was among the
    harvested data and was consequently put at risk of further use without consent.