Facebook and the Cambridge Analytica Fine – A Huge GDPR Warning

Social network giants Facebook have this week been issued with the maximum £500,000 fine for its role in the Cambridge Analytica scandal, which saw users’ data being harvested and subsequently exploited for targeted political marketing.

Following the much publicised investigation, the Information Commissioner’s Office (ICO) has concluded that Facebook has been responsible for two separate breaches of the 1998 Data Protection Act; first that it failed to properly safeguard its users’ information, and second that it failed to be transparent once it was aware that data had been harvested.

MP Damian Collins, the chair of the Digital, Culture, Media and Sport Committee that has undertaken the investigation, issued a statement saying that Facebook has “consistently failed to answer the questions from the committee”, and that the responses received have been “consistently slow and unsatisfactory”. He also acknowledged that the scale of the issue may be far greater than currently recognised, and that the number of Facebook users affected could potentially be far higher than currently known.

At £500,000, the penalty amounts to the then highest fine available to the ICO. Despite this, many will consider it to be nothing short of a massive let-off for Facebook (especially when one considers that in the first quarter of 2018, the company took £500,000 in revenue every five and a half minutes). This is because the ICO conducted their investigation, and their judgment was bound by, the older regime of the 1998 Data Protection Act.

Since the coming in to force of the new 2018 regime under the GDPR, companies can now expect to be on the receiving end of far greater fines for breaches of data laws. The older £500,000 cap under the 1998 Act has now been replaced by the GDPR, which sets the cap for fines at the higher level of €20 million (approximately £17 million), or 4% of global annual turnover. In Facebook terms, this could amount to a fine of £1.4 billion. Elizabeth Denham, the Information Commissioner on the investigation, has already stated that it is possible that similar breached by companies in the future could reach these extraordinary heights.

From today’s news, then, companies should heed a strong warning. The inquiry is already being described as ‘the most important investigation the ICO has ever undertaken’, and the result could not be clearer; that the ICO are unafraid to hand down substantial fines for failure to adhere to data protection laws, and that the scale of those fines looks set to get exponentially bigger.

The 2018 Data Protection Act is now fully in force, along with the higher fines it can impose. Organisations would do well to ensure they are fully compliant with the tough new regulations in order to avoid these potentially devastating penalties.

Forbes regularly advises on all matters relating to the GDPR and 2018 Data Protection Act. Contact us at ciaran.rafferty@forbessolicitors.co.uk to discuss any issues further.

Dan Crayford

About Dan Crayford

Dan joined Forbes in 2014, gaining experience in complex insurance litigation which involved advising clients in the construction and public sectors. In early 2017, Dan joined the Commercial team and moved to specialise in advising clients in the public, quasi-public and third sectors, predominantly in the fields of construction, procurement, social housing regulation, and education governance. Dan has a particular interest in contracts and procurement law, with a focus on advising registered providers of social housing, educational institutions, and other public and charitable organisations. Dan has worked with a range of clients in these sectors including registered providers of social housing of all sizes, maintained schools to MATs, other charities and community entities including CIOs, and CICs. Dan also regularly advises organisations from all sectors on data protection and freedom of information matters, including GDPR, PECR, and Environmental Information Regulations.
This entry was posted in GDPR, Uncategorised and tagged , , , , , .