Facebook hit with UK’s maximum fine as EU officials praise privacy efforts

CEO of Facebook Mark Zuckerberg testifies before the House Energy and Commerce Committee hearing on 'Facebook: Transparency and Use of Consumer Data' on Capitol Hill in Washington, DC, USA, 11 April 2018. [EPA-EFE/SHAWN THEW]

Senior EU officials extolled the successes of the bloc’s data protection regulations on Thursday (25 October), as Facebook was fined £500,000 by the UK’s Information Commissioner’s Office for its part in the Cambridge Analytica scandal.

  • Facebook hit with £500,000 (€565,000) fine for breach of EU data protection rules under the 1998 Data Protection Act
  • EU commissioner says Cambridge Analytica scandal “sent shockwaves through our democratic systems”
  • MEPs back measures to put Facebook under the microscope of EU regulators after a dramatic bid to suspend vote in parliament fell on deaf ears

Commenting on the fine, the EU’s Justice Commissioner Vĕra Jourová told EURACTIV.com in e-mailed comments:

“I welcome the fine imposed by ICO on Facebook in the Cambridge Analytica case. It shows data protection authorities are taking seriously the enforcement of European data protection rules.”

“The future fines should serve as deterrent and companies will have to think twice before mishandling Europeans’ personal data,” the Commissioner said.

US should ‘follow EU’ in privacy legislation, Apple chief says

Tim Cook, head of tech giant Apple, has rallied the US to “follow the lead” of the EU in privacy rules, saying that humanity is living amid a “data industrial complex” in which “our own information is being weaponised against us with military efficiency”.

Facebook ‘should have known better’

The UK’s Information Commissioner’s Office is the authority responsible for executing the investigation into the Facebook / Cambridge Analytica scandal, and for issuing any punitive measures.

The ICO found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing app developers access to users’ information without clear consent.

Moreover, the social media giant permitted access to users’ data from third-party platforms, even if users had not downloaded the app in question but were simply ‘friends’ with other users who had.

The £500,000 fine, which some may regard as relatively low, is actually the maximum allowable under the laws which applied at the time the incidents occurred.

The breaches that took place between 2007 and 2014 are subject to the Data Protection Act 1998, and not the more well-known General Data Protection Regulation (GDPR), which was only in introduced in May this year.

Fines for violations of European privacy regulation under GDPR are much higher than those under the previous rules.

With the more modern measures, maximum fines of £17 million (€20 million) or 4% of global turnover can be issued.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation.” a statement from ICO chief Elizabeth Denham read. “The fine would inevitably have been significantly higher under the GDPR.”

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

Pressure mounts on Facebook after massive data breach

The EU’s Justice Commissioner Věra Jourová has put pressure on Facebook to disclose further details of the massive security breach that impacted around fifty million users last week.

‘Ripping apart societies’

Speaking at a high-level conference hosted by the European Data Protection Authority on Thursday, Jourová said that the Facebook/Cambridge Analytica scandal “sent shockwaves through our democratic systems,” while she also praised the success of the GDPR for providing an effective deterrent to shortfalls in data protection infrastructures.

Her stern words against Facebook and Cambridge Analytica were echoed by Isabelle Falque-Pierrotin, president of France’s data protection authority, the CNIL, who said technologies that take advantages of users’ online vulnerability are “ripping apart the fabric of our societies.”

MEPs band together

The fine comes on a day when MEPs in the European Parliament adopted a resolution that will see them urge Facebook to allow EU bodies to carry out a full audit assessing data protection and security of users’ personal data.

However, halfway through the vote, EPP’s Frank Engel called for the procedure to be postponed after it transpired that fewer than a half of all MEPs were sitting in the hemicycle.

“We have fallen to 372 voting members,” Engels said. “I suggest that we discontinue this vote and we recap with a vote on this text at the next session because this cannot continue.”

Nonetheless, the procedure was allowed to go ahead after Engel failed to receive the support of his fellow MEPs in his call to push the vote back.

MEPs eventually adopted the resolution, which also seeks to prevent election manipulation on social platforms, an area in which the European Commission has made steps after recently introducing a code of practice against disinformation. So far, Facebook, Google and Twitter have all signed up to the voluntary measures.

EU code of practice on fake news: Tech giants sign the dotted line

Tech giants including Facebook, Google, Twitter and Mozilla have submitted plans to the European Commission outlining how they will abide by a code of practice against fake news, amid opposition on the proposals from a multistakeholder forum.

Ahead of the vote, the rapporteur for the resolution, S&D’s Claude Moraes, said: “This resolution sets out the measures that are needed, including an independent audit of Facebook, an update to our competition rules, and additional measures to protect our elections.

“Action must be taken now, not just to restore trust in online platforms, but to protect citizens’ privacy and restore trust and confidence in our democratic systems.”

Clegg to the rescue?

Facebook is currently in the crosshairs on both sides of the Atlantic.

In the US, three federal agencies are conducting investigations into the Cambridge Analytica violations, while as recently as last month, Facebook disclosed the fact that 30 million users had their login access tokens stolen, with the Irish Data Protection Commission saying that 10% of the affected accounts were European.

Last week, the social media giant announced former Liberal Democrat leader Nick Clegg as the head of global public relations at the firm, in a move that comes amid the very real need for Facebook to make drastic improvements to its public relations profile.

On announcing his appointment, Nick Clegg said:

“Facebook is at the intersection between a bunch of really difficult issues and questions…how do people have control over their data? How do we safeguard the integrity of our democratic processes?”

“In the many conversations I’ve had over the summer and autumn with Mark Zuckerberg and Sheryl Sandberg, I’ve been really struck with how seriously they take the responsibility that Facebook has, not just towards the users of Facebook, but to society at large.”

Zuckerberg himself also highlighted the steps that Facebook has done to bolster its privacy and data protection reputation while calling for EU citizens to maintain “trust” in Facebook’s service.

“You do need to trust us,” Zuckerberg said, delivering a video message to the European Data Protection Board conference in Brussels on Wednesday (24 October).

“We have to think about striking the right balance between speech, security, privacy and safety.”

Subscribe to our newsletters