The UK’s Information Commissioner has formally fined Facebook £500,000 – the maximum available – over the Cambridge Analytica scandal.
In a monetary penalty notice issued this morning, the Information Commissioner’s Office (ICO) stated that the social media network had broken two of the UK’s legally binding data protection principles by allowing Cambridge academic Aleksandr Kogan to harvest 87 million Facebook users’ personal data through an app disguised as an innocent online quiz.
“Facebook… failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge,” said the ICO in its statement on the fine.
Data harvested by GSR would later be passed to SCL Elections Ltd, the company behind Cambridge Analytica. The fine was telegraphed by the data protection regulator back in July.
“The Facebook Companies thereby acted in breach of section 4(4) of the [Data Protection Act], which at all material time required data controllers to comply with the data protection principles in relation to all personal data in respect of which they were the data controller,” continued the ICO in its penalty notice (PDF, 27 pages).
The £500k fine is the maximum penalty available to the ICO under 1998’s Data Protection Act. The regulator noted: “But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty.” Nonetheless, with Facebook making a net income of $5.1bn in its latest fiscal quarter, the penalty amounts to just over quarter of an hour’s profits*.