Britain to Fine Facebook Over Data Breach
18.7.18 securityweek Incindent Social
Britain's data regulator said Wednesday it will fine Facebook half a million pounds for failing to protect user data, as part of its investigation into whether personal information was misused ahead of the Brexit referendum.
The Information Commissioner's Office (ICO) began investigating the social media giant earlier this year, when evidence emerged that an app had been used to harvest the data of tens of millions of Facebook users worldwide.
In the worst ever public relations disaster for the social media giant, Facebook admitted that up to 87 million users may have had their data hijacked by British consultancy firm Cambridge Analytica, which was working for US President Donald Trump's 2016 campaign.
Cambridge Analytica, which also had meetings with the Leave.EU campaign ahead of Britain's EU referendum in 2016, denies the accusations and has filed for bankruptcy in the United States and Britain.
"In 2014 and 2015, the Facebook platform allowed an app... that ended up harvesting 87 million profiles of users around the world that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum," Elizabeth Denham, the information commissioner, told BBC radio.
Wednesday's ICO report said: "The ICO's investigation concluded that Facebook contravened the law by failing to safeguard people's information."
Without detailing how the information may have been used, it said the company had "failed to be transparent about how people's data was harvested by others".
The ICO added that it plans to issue Facebook with the maximum available fine for breaches of the Data Protection Act -- an equivalent of $660,000 or 566,000 euros.
Because of the timing of the breaches, the ICO said it was unable to impose penalties that have since been introduced by the European General Data Protection, which would cap fines at 4.0 percent of Facebook's global turnover.
In Facebook's case this would amount to around $1.6 billion (1.4 billion euros).
"In the new regime, they would face a much higher fine," Denham said.
- 'Doing the right thing' -
"We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes," Denham said.
"New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law."
In May, Facebook chief Mark Zuckerberg apologised to the European Parliament for the "harm" caused.
EU Justice Commissioner Vera Jourova welcomed the ICO report.
"It shows the scale of the problem and that we are doing the right thing with our new data protection rules," she said.
"Everyone from social media firms, political parties and data brokers seem to be taking advantage of new technologies and micro-targeting techniques with very limited transparency and responsibility towards voters," she said.
"We must change this fast as no-one should win elections using illegally obtained data," she said, adding: "We will now assess what can we do at the EU level to make political advertising more transparent and our elections more secure."
- Hefty compensation bill -
The EU in May launched strict new data-protection laws allowing regulators to fine companies up to 20 million euros ($24 million) or four percent of annual global turnover.
But the ICO said because of the timing of the incidents involved in its inquiry, the penalties were limited to those available under previous legislation.
The next phase of the ICO's work is expected to be concluded by the end of October.
Erin Egan, chief privacy officer at Facebook, said: "We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We're reviewing the report and will respond to the ICO soon."
The British fine comes as Facebook faces a potential hefty compensation bill in Australia, where litigation funder IMF Bentham said it had lodged a complaint with regulators over the Cambridge Analytica breech -- thought to affect some 300,000 users in Australia.
IMF investment manager Nathan Landis told The Australian newspaper most awards for privacy breaches ranged between Aus$1,000 and Aus$10,000 (US$750-$7,500).
This implies a potential compensation bill of between Aus$300 million and Aus$3 billion.