12 July, 2018
Social network giants Facebook have this week been issued with the maximum £500,000 fine for its role in the Cambridge Analytica scandal, which saw users' data being harvested and subsequently exploited for targeted political marketing.
Following the much publicised investigation, the Information Commissioner's Office (ICO) has concluded that Facebook has been responsible for two separate breaches of the 1998 Data Protection Act; first that it failed to properly safeguard its users' information, and second that it failed to be transparent once it was aware that data had been harvested.
MP Damian Collins, the chair of the Digital, Culture, Media and Sport Committee that has undertaken the investigation, issued a statement saying that Facebook has "consistently failed to answer the questions from the committee", and that the responses received have been "consistently slow and unsatisfactory". He also acknowledged that the scale of the issue may be far greater than currently recognised, and that the number of Facebook users affected could potentially be far higher than currently known.
At £500,000, the penalty amounts to the then highest fine available to the ICO. Despite this, many will consider it to be nothing short of a massive let-off for Facebook (especially when one considers that in the first quarter of 2018, the company took £500,000 in revenue every five and a half minutes). This is because the ICO conducted their investigation, and their judgment was bound by, the older regime of the 1998 Data Protection Act.
Since the coming in to force of the new 2018 regime under the GDPR, companies can now expect to be on the receiving end of far greater fines for breaches of data laws. The older £500,000 cap under the 1998 Act has now been replaced by the GDPR, which sets the cap for fines at the higher level of €20 million (approximately £17 million), or 4% of global annual turnover. In Facebook terms, this could amount to a fine of £1.4 billion. Elizabeth Denham, the Information Commissioner on the investigation, has already stated that it is possible that similar breached by companies in the future could reach these extraordinary heights.
From today's news, then, companies should heed a strong warning. The inquiry is already being described as 'the most important investigation the ICO has ever undertaken', and the result could not be clearer; that the ICO are unafraid to hand down substantial fines for failure to adhere to data protection laws, and that the scale of those fines looks set to get exponentially bigger.
The 2018 Data Protection Act is now fully in force, along with the higher fines it can impose. Organisations would do well to ensure they are fully compliant with the tough new regulations in order to avoid these potentially devastating penalties.
Forbes regularly advises on all matters relating to the GDPR and 2018 Data Protection Act. Contact us at firstname.lastname@example.org to discuss any issues further.