On Oct. 25, UK ICO fined Facebook for data protection failures.
Fine Issued
- Facebook fined £500,000 (the maximum allowable under the laws which applied
at the time the incidents occurred) for serious breaches of data protection law. - Due to timing dealt with under Data Protection Act 1998, not GDPR and 2018 Act.
- In Jul. 2018, the ICO issued a Notice of Intent to fine Facebook as part of a wide
ranging investigation into the use of personal data analytics for political purposes. - After considering representations, fine issued and amount will remain unchanged.
Findings
- Between 2007 and 2014 Facebook processed users' personal information unfairly
by allowing application developers access to information without clear consent. - Facebook also failed to keep users' personal information secure because it failed
to make suitable checks on applications and developers using its platform. - One developer harvested the Facebook data of up to 87mn people worldwide.
- Data later shared with other organisations, including SCL Group, parent company of Cambridge Analytica who were involved in political campaigning in the USA.
- Following discovery in Dec. 2015 of misuse of data, Facebook did not do enough
to ensure adequate/timely remedial action was taken, including deletion of data. - For example, Facebook did not suspend SCL Group from its platform until 2018.
- ICO found that the personal information of at least 1mn UK users was among the
harvested data and was consequently put at risk of further use without consent.