The Information Commissioner’s Office (ICO) has fined social media giant Facebook a maximum £500,000 fine for “serious breaches” of data protection law.
In an announcement today, the data regulator for England and Wales said it has concluded its investigation of Facebook into the use of data analytics for political purposes.
The breach took place before the introduction of the General Data Protection Regulation (GDPR), shielding the social platform from even greater fines.
In a statement, ICO said it has “considered representation from the company” and has “issued the fine to Facebook” – the maximum allowable under the laws which applied at the time the incidents occurred.
The review centres on breaches which took place between 2007 and 2017, during which time Facebook processed the personal information of users unfairly by allowing application developers to access information without sufficiently clear and informed consent – an article of data protection which has since been addressed by GDPR.
The misuse of said data was discovered in December 2015, but Facebook continued to “not do enough” to ensure that those who continue to hold personal information had taken adequate and remedial action, including deletion.
In total, the regulator found that personal information of at least one million UK users was among “the harvested data” and “consequentially put at risk of further misuse”.
Commenting on the fine, Elizabeth Denham, Information Commissioner, said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
GDPR, introduced in May this year, enforces maximum fines of either 20 million euros or four per cent of company turnover (whichever is greater). It brings with it much stricter rules and regulations on how customer data can be used and processed, for example, by introducing a rigorous ‘consent’ regime.
With the threat of such significant fines looming over companies, special care should be taken to ensure that customer data is secure and unavailable for potential misuse.
As such, companies should consider regular audits of data and how it is collected through the use of in-house data protection officers or specialist outsourced consultants.
For help and advice protecting customer data and addressing potential breaches, please get in touch.