Facebook has been slapped with a £500,000 fine for the role it played in the Cambridge Analytica scandal, in which the data of 87m users was harvested for political purposes.
The data regulator found that the social network failed to safeguard users’ information and allowed people’s personal data to be harvested by others, constituting a breach of the Data Protection Act 1998. Had the breach occurred after May this year, Facebook may have faced a far greater fine under the new data protection law, a maximum of 4pc of global turnover or €20m (£18m), whichever was highest.
The penalty could be just the first in what might become several fines for Mark Zuckerberg as the Information Commissioner’s Office continues to investigate other aspects of Facebook’s data sharing such as an advertising service that combined third party data with the likes of credit check giant Experian, among others. Facebook said it has suspended the service in the EU as a result.
The ICO's probe went beyond how Facebook allowed Dr Aleksandr Kogan, the data scientist who created an app to harvest the personal information of 87m Facebook users and Cambridge Analytica, the now-defunct political campaigning company that the Facebook data was passed on to.
It also determined links between Dr Kogan and Canadian-headquartered data analytics company, Aggregate IQ, which still holds UK citizen data, allegedly passed on by the Leave EU campaign group. Leave EU has denied allegations of wrongdoing.
Facebook and Cambridge Analytica | The story so far
The regulator said it was difficult to ascertain whether Facebook data had played a role in manipulating the outcome of the European Referendum, however, it had grown concerned about the scale of political parties using software to target or manipulate voters, including software tools that could predict someone’s ethnicity.
It is sending warning letters suggesting all Britain's political parties give themselves up for a data audit or face their own investigation after it found a large “supply of personal data” to political parties. One data broker called Emma’s Diary had caused “significant concern” after it supplied information about mothers in hospital and has been served an enforcement notice as a result.
Five years after Snowden's leaks: Big Tech ousts Big Brother in surveillance debate
The ICO will also open a probe into Cambridge University and its data science department over concerns about how easy it was for Dr Kogan and his peers to undertake commercial research, while operating under the umbrella of a respected institution. The university's psychometric unit is said to be cooperating with the audit, but the ICO is concerned that other institutions may have similarly put people’s privacy at risk. Cambridge University did not respond to requests for comment.
Information Commissioner Elizabeth Denham told The Daily Telegraph: “We are concerned about data negligence, the lack of boundaries and the lack of due diligence around data research.”
Ms Denham said the early results of the investigation shone a light on what had become a wild west in recent years.
She said: “Very few people had an awareness of how they can be personally micro targeted or nudged in a democratic campaign like an election or referendum, and this is the time when people are sitting up and saying ‘we need a pause here and we need to be comfortable with how data is used in our democratic processes’."
Specialist forensics will continue to sift through the “hundreds of terabytes” of Dr Kogan’s Facebook data to identify which nationalities where caught up, which will then be passed on to official representatives.
Facebook executives recently appeared in front of European parliament, where they claimed they did not believe European data had been caught up in the data harvesting scandal. “That is in dispute,” Ms Denham said.
Erin Egan, chief privacy officer at Facebook, said: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015.
"We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We're reviewing the report and will respond to the ICO soon.” Facebook has been set a deadline to respond and appeal to the claims made in the report.
Whistleblower Christopher Wylie said on Twitter: "Months ago, I reported Facebook and Cambridge Analytica to the UK authorities.
"Based on that evidence, Facebook is today being issued with the maximum fine allowed under British law.
"Cambridge Analytica, including possibly its directors, will be criminally prosecuted."
Whistleblower Shahmir Sanni said the report was "ever more proof the people in power are not fit to lead a country in the digital age, let alone fight for truth".
He tweeted: "We must hold EVERYONE that tried to silence this story or brush it aside to account. We must give more power to orgs like the ICO and EC (Electoral Commission)."