You remember the Facebook/Cambridge Analytica mess from earlier this year? Well, Facebook have been issued with a notice that they are to be fined £500,000 as a result of this. “What? Facebook are only fined £500,000?” I hear you cry. Yes that is maximum penalty that the Information Commissioners Office (ICO) in the UK are able to levy under the Data Protection Act 1998.
“But where are the €20m or 4% of turnover fines for violating the GDPR?” you shout. As the underlying data breach incident occurred some years ago and surfaced before the #GDPR went into effect in May 2018, then they couldn’t be prosecuted under the Data Protection Act 2018, which implements the GDPR.
But this is still a significant judgement. The ICO has gone for the maximum possible penalty against Facebook, showing that what they were up to was completely unacceptable and rightly so. They found that Facebook had breached two of the principles of data protection:
- Facebook had unfairly processed personal data.
- And they didn’t put in place appropriate measures to prevent unauthorised or unlawful processing of personal data.
So while Facebook are only fined £500,000 this time, this is a clear indication that data protection authorities won’t be afraid of going after the maximum fines available to them for failures in respect to protecting peoples personal data.
Also don’t forget that the Irish Data Protection Commissioner is investigating Facebook for a GDPR era incident. That incident started with 50m people affected with another 40m possibly impacted. It dropped down to only ~30m affected … but that’s still ~30,000,000 people. Of those, 14m had the following personal data accessed:
Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
That is a massive amount of personal data to have been harvested, and could definitely be used against the victims. That particular investigation will be a big one and will probably run into some time in 2019.
In the meantime, lets be careful out there.