Facebook fined for data breaches in Cambridge Analytica scandal
Firm penalty 500,000 for lack of transparency and failing to protect user’s information
Facebook is to be fined 500,000, the maximum quantity possible, for its part in the Cambridge Analytica scandal, the information commissioner has announced.
The fine is for two breaches of the Data Protection Act. The Information Commissioners Office( ICO) concluded that Facebook failed to safeguard its users information and that it failed to be transparent about how that data was harvested by others.
Facebook has failed to provide the kind of protections they are required to under the Data Protection Act, told Elizabeth Denham, the information commissioner. Fines and prosecutions penalise the bad actors, but my real aim is to impact change and restore trust and confidence in our democratic system.
In the first quarter of 2018, Facebook took 500,000 in revenue every five and a half minutes. Because of the timing of the violates, the ICO said it was unable to levy the penalties introduced by the European General Data Protection( GDPR ), which caps fines at the higher level of 20m( 17 m) or 4% of global turnover in Facebook’s case, $1.9 bn( 1.4 bn ). The 500,000 cap was set by the Data Protection Act 1998.
On Wednesday, Denham said: This was a very serious contravention, so in the new regime they would face a much higher fine.
Asked on BBC Radio 4s Today programme if the fine now would amount to hundreds of millions of pounds, she said it could.
Denham added: This is not all about penalties though any company is worried about its reputation, because people want to feel that their data is safe.
In 2014 and 2015, the Facebook platform allowed an app that aimed up harvesting 87 m profiles of users around the world that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum.
Facebook’s chief privacy Officer, Erin Egan, told of the intent to penalty: As we have said before, we should have done more to investigate asserts about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. Were reviewing the report and will respond to the ICO soon.
The inquiry, described by Denham as the most important point investigation that the ICO has ever undertaken, has also resulted in warning letters being sent to 11 political parties every UK party with an MP in the House of Commons as of March 2017, when the investigation began and notifications obliging them to agree to data protection audits.
It has led to a criminal prosecution of SCL Elections, Cambridge Analyticas parent company, for failing to properly deal with the ICOs enforcement notice, and an enforcement notice against the same for not replying to a subject access request from an American whose data it held.
SCL Elections declared bankruptcy in May, two months after the Observer reported that 50 m Facebook profiles had been obtained. Denham said the ICO was examining whether the companys directors could be still be pursued now that SCL Elections had been placed into administration.
The investigation also found that Aggregate IQ, a Canadian electoral services company, had significant links to Cambridge Analytica, Denham told, and may still retain data about UK voters; the ICO has filed an enforcement notification against the company to stop processing that data.
Most of us have some understanding of the behavioural targeting that commercial entities have used for quite some time, Denham said, to sell us holidays, to sell us trainers, to be able to target us and follow us around the web.
But very few people have an awareness of how they can be micro-targeted, persuaded or nudged in a democratic campaign, in an electoral or a referendum.
This is a time when people are sitting up and telling we need a intermission here, and we need to be sure we are comfortable with the way personal data is used in our democratic process.
The ICO had concerns about a number of aspects of political campaigning more broadly. It found that some un-named political parties were utilizing software that could predict the ethnicity of voters, for instance, and procured others acquiring data from problematic sources.
In response to the ICO’s report Damian Collins, chair of a parliamentary committee investigating online disinformation, said it was essential that the public know whether two organizations harvested data from Facebook.
This cannot by left to a secret internal investigation at Facebook, Collins told. If other developers broke the law we have a right to know, and the users whose data may have been compromised in this route should be informed.
As part of its investigation, the ICO also issued a notice of intent to take regulatory action against Lifecycle Marketing( Mother& Baby) Limited, a data broker that provides information to new mothers and the trading name of the website Emma’s Diary, which was used by the Labour party.
It’s financial accounts describe its principle activity as the marketing of brands and products to prenatal and postnatal mothers via channels multiple touchpoints for the provision of information and guidance to new mothers.
We were significantly concerned around the nature of the data that the political parties had access to, said Steve Wood, the deputy info commissioner, and we followed the trail to look at the different data brokers who were furnishing the political parties.
Emma’s Diary is one of the first ones, as part of that investigation, which has come to fruition. We saw there were really significant very concerned about how Emma’s Diary was collecting the data, particularly involving mothers who were in hospital. We especially looked at breaches of principle one of the Data Protection Act, covering the absence of transparency and consent from the individuals, in this context, the mothers, and then how that data was subsequently used by the political parties in their profiling, analytics and targeting.
Emma’s Diary says it works in a long-term partnership with the Royal College of General Practitioners and the Royal College of Midwives. In 2016 it made a profit of 1.5 m on a turnover of seven. 5m.
The company said: Following the release of the ICO notice of intent against Lifecycle Marketing we do not agree with the initial findings and will be responding to them accordingly. For over 25 years we have operated with integrity and within the spirit of data regulations. As the ICO investigation continues we will freely cooperate with the investigation and cannot commentary further at this stage.