Facebook has reached a settlement with the U.K.’s Information Commissioner’s Office (ICO) over the company’s role in misuse of personal user data ahead of the 2016 European Union (EU) membership referendum.
Following an investigation that started in 2017, the ICO in October hit Facebook with a £500,000 ($644,000) fine over its failure to prevent controversial data analytics firm Cambridge Analytica from improperly accessing user data. The scandal stems from a personality quiz app developed by Cambridge University academic Dr. Aleksandr Kogan that harvested personal details of up to 87 million Facebook users, and the sharing of some of this data with Cambridge Analytica, which used it to target political ads in the U.S.
Facebook argued that even by the ICO’s own admission, there was no evidence to suggest any Facebook users’ private data was used by Cambridge Analytica or any affiliates to target voters in the build-up to the Brexit vote. As such, Facebook announced last November that it planned to appeal the fine.
The ICO had argued that the fine was justified — regardless of whether any Facebook data was improperly used — because Facebook’s U.K. members’ data was put at risk and the tech firm did little to address the problem even after it became aware of it. As part of the settlement, which was announced this morning, Facebook agreed to pay the fine without having to admit any liability. Both the ICO and Facebook will pay their own legal fees.
“The ICO welcomes the agreement reached with Facebook for the withdrawal of their appeal against our Monetary Penalty Notice (MPN) and agreement to pay the fine,” said ICO deputy commissioner James Dipple-Johnstone. “The ICO’s main concern was that U.K. citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also, as we now know, for the preservation of a strong democracy.”
It’s worth noting that Facebook was fined the maximum possible by the ICO under the 1998 Data Protection Act that was in place at the time. However, under the new General Data Protection Regulation (GDPR) that went into effect across the EU last year, Facebook’s fine would likely have been significantly higher. By way of example, Google was hit with a €50 million ($57 million) GDPR fine by French data privacy body CNIL back in January for a “lack of transparency” and “inadequate information” about how ads are personalized for each user. Elsewhere, British Airways was slapped with a (provisional) $230 million fine over a huge data breach, while Marriott received a $127 million penalty for a similar breach.
While the value of the fine is a drop in the ocean relative to Facebook’s revenues, the company was evidently keen to fight the liability facet of the case to avoid setting a precedent for other regulators to follow. That said, Facebook is facing significant scrutiny elsewhere and recently settled with the U.S. Federal Trade Commission (FTC) to the tune of $5 billion over the way it mishandled user privacy in relation to Cambridge Analytica. As part of the deal, the FTC absolved Facebook executives from liability over allegations that the company had violated a previous privacy order. Italy’s privacy regulator also hit Facebook with a $1 million fine this year for the Cambridge Analytica scandal.
“As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015,” added Facebook general counsel Harry Kinmonth. “We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information. The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr Kogan.”