The Information Commissioner’s Office (ICO) has fined Facebook Irland £500,000 for its role in a serious data incident involving Cambridge Analytica and their harvesting of 89 million Facebook users’s personal data for political profiling. The UK’s privacy watchdog has issued the maximum possible fine for Facebook’s failure to protect its users personal information. The serious data incident happened before the GDPR applied.
As a data controller, facebook failed to comply with the data protection principles of the Data Protection Act 1998 (now it is the Data Protection Act 2018). At the time the data breach took place, the maximum fine permissible under the then applicable law was £500,000.
The breach was facilitated by a little-known personality quiz app, named “thisisyourdigitallife”, which collected the personal information of participants and their facebook friends. Only around 300,000 facebook users actually downloaded the app. However, the app was able to source data about all the Facebook friends of the app users such as photos, pages they liked, the city the lived in, birthday and name and gender.
Most of the personal data was harvested without the facebook user’s consent. For instance, 53 Australians downloaded the app, yet 310,00 Australian were impacted by the fact that their friends downloaded the app. Similarly, even though only 10 New Zealanders downloaded the app, 64,000 Kiwi accounts were compromised in the Cambridge Analytica breach.
Some of the data has been used to target political ads at people based on their psychometric profiles. Cambridge Analytica claimed that the data processing was officially carried out for research purposes, but subsequently passed on the data for political and commercial use. The ICO said that Facebook failed to make “suitable checks on apps and developers using its platform” to prevent misuse of data.
Cambridge Analytica has claimed that it was instrumental in the success of the Trump election campaign in 2016. In a media statement, that has since been removed from the Internet, Cambridge Analytica stated:
Cambridge Analytica, the market leader in the provision of data analytics and behavioral communications, would like to congratulate President-elect Donald Trump and Vice President-elect Mike Pence on their historic victory. Cambridge Analytica was instrumental in identifying supporters, persuading undecided voters, and driving turnout to the polls. The firm’s integrated Data Science, Digital Marketing, and Polling and Research teams informed key decisions on campaigning, communications, and resource allocation. […]
Trump paid Cambridge Analytica 5 Million US Dollar in September 2016 alone in the hope that data profiling will win him the presidential election. Cambridge Analytica claimed that it had 4,000 – 5,000 data points on every US individual. The YouTube video “Big Data and Psychographics in the electoral process” explains the process in more detail.
The ICO’s investigation found that Facebook failed to keep the personal information of its users secure by failing to make suitable checks on developers using its platform. The ICO concluded that facebook unfairly processed personal data in breach of the first data protection principle and that facebook also failed to take appropriate technical and organisation measure against unauthorised or unlawful processing of personal data (in breach of the seventh data protection principle).
The fine would have been significantly higher under the GDPR which has been in effect since 25 May 2018. Serious data incident like this could result in a fine of up to 4% of Facebook’s global turnover, i.e. up to £ 22.6 Mio.
The ICO’s decision can be accessed here.