Facebook is set to be fined £500,000 by the UK’s privacy watchdog after it concluded the social media giant broke data laws.
The California-headquartered company failed to protect users’ information and then failed to be clear about how that information had been harvested by others. That was the conclusion of a major report into whether personal data had been misused by both sides during the EU referendum.
Facebook and Cambridge Analytica have been under scrutiny since it emerged that an app had been used to harvest the data of millions of Facebook users around the world, with the total number of people affected now at 87 million.
The watchdog launched its formal inquiry into the use of data analytics to target voters in March last year amid concerns that Britons’ privacy could be put at risk by new campaign tactics, with a particular focus on the Brexit campaign.
The investigation included political parties, data analytics companies and social media platforms.
In a progress update to a parliamentary select committee, the ICO said it had served Facebook with a notice of intent to issue its maximum fine after it found the company had twice breached the Data Protection Act 1998 (DPA). A final decision will be made after the social media giant has had a chance to respond.
While a fine of £500,000 is the biggest possible punishment available to the ICO, it is the same amount of money that Facebook makes in just a few minutes.
The fine may have been much larger if the breach had taken place under the EU’s new data protection regulations. As part of those rules, known as GDPR, firms can be fined up to 4 per cent of their global turnover for data breaches, but the ICO said the timing of the breaches meant it could not use those new powers.
It also wrote warning letters to the main political parties and set out plans for a criminal prosecution against SCL Elections, parent company of Cambridge Analytica, which was shut down following revelations about its use of Facebook data.
Elizabeth Denham, the information commissioner, said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.”
She added: “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
The official Brexit campaign group, Vote Leave, remains under investigation into whether it breached the DPA by allegedly transferring UK citizens’ personal data outside the UK.
Leave.EU, the unofficial Brexit campaign headed by former Ukip leader Nigel Farage, is under investigation over allegations it used customer data shared by an insurance company for political campaign purposes.