[BreachExchange] UK data watchdog fines Facebook 17 minutes of net profit for Cambridge Analytica brouhaha

Destry Winant destry at riskbasedsecurity.com
Fri Oct 26 01:22:46 EDT 2018


Updated The UK's Information Commissioner has formally fined Facebook
£500,000 – the maximum available – over the Cambridge Analytica

In a monetary penalty notice issued this morning, the Information
Commissioner's Office (ICO) stated that the social media network had
broken two of the UK's legally binding data protection principles by
allowing Cambridge academic Aleksandr Kogan to harvest 87 million
Facebook users' personal data through an app disguised as an innocent
online quiz.

"Facebook... failed to keep the personal information secure because it
failed to make suitable checks on apps and developers using its
platform. These failings meant one developer, Dr Aleksandr Kogan and
his company GSR, harvested the Facebook data of up to 87 million
people worldwide, without their knowledge," said the ICO in its
statement on the fine.

Data harvested by GSR would later be passed to SCL Elections Ltd, the
company behind Cambridge Analytica. The fine was telegraphed by the
data protection regulator back in July.

"The Facebook Companies thereby acted in breach of section 4(4) of the
[Data Protection Act], which at all material time required data
controllers to comply with the data protection principles in relation
to all personal data in respect of which they were the data
controller," continued the ICO in its penalty notice (PDF, 27 pages).

The £500k fine is the maximum penalty available to the ICO under
1998's Data Protection Act. The regulator noted: "But for the
statutory limitation on the amount of the monetary penalty, it would
have been reasonable and proportionate to impose a higher penalty."
Nonetheless, with Facebook making a net income of $5.1bn in its latest
fiscal quarter, the penalty amounts to just over quarter of an hour's

Under the Data Protection Act 2018, which implements the EU GDPR
rules, the maximum fine available is 4 per cent of turnover.

Elizabeth Denham, Information Commissioner, said: "Facebook failed to
sufficiently protect the privacy of its users before, during and after
the unlawful processing of this data. A company of its size and
expertise should have known better and it should have done better. One
of our main motivations for taking enforcement action is to drive
meaningful change in how organisations handle people's personal data."

The ICO has a particular bee in its bonnet about Facebook and
Cambridge Analytica, as well as the use of personal data in political
advertising campaigns more generally. On top of raiding CA's UK
offices earlier this year, it also laid a criminal charge against SCL
Elections in the magistrates' court.

A Canadian firm alleged by the ICO to be linked to Cambridge
Analytica, Aggregate Data Services IQ Ltd, is appealing in the
First-Tier Tribunal against a civil enforcement notice issued by the
ICO. The company said it is not linked to the Cambridge Analytica
scandal and was merely a software developer for the controversial
company. That case will be heard in the near future. ®


*At current exchange rates, Facebook makes around £43m a day in
post-tax profits, or just under £2m per hour.

Updated at 11.27 UTC

A Facebook PR rep sent us a statement:

“We are currently reviewing the ICO's decision. While we respectfully
disagree with some of their findings, we have said before that we
should have done more to investigate claims about Cambridge Analytica
and taken action in 2015.

"We are grateful that the ICO has...confirmed they have found no
evidence to suggest UK Facebook users' data was in fact shared with
Cambridge Analytica. Now that their investigation is complete, we are
hopeful that the ICO will now let us have access to CA servers so that
we are able to audit the data they received.”

More information about the BreachExchange mailing list