Facebook has dropped an appeal and agreed to pay a £500,000 fine issued to it by the Information Commissioner's Office after an investigation into the misuse of personal data in political campaigns.
The UK data watchdog issued the fine last year following an investigation that found Facebook has failed to comply with UK data protection laws.
The £500,000 figure was the highest possible monetary penalty that Facebook could be fined – because the year-long investigation was opened before General Data Protection Regulation came into force. Under GDPR, the fine could have been up to 4% of Facebook's annual turnover.
The ICO's initial investigation, which lead to the fine in October last year, said that between 2007 and 2014 Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, for example allowing access even if users had not downloaded the app, but were simply 'friends' with people who had.
This access meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge, the ICO said. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica.
Facebook had appealed against the fine but has now reached an agreement with the ICO to pay it, but has made no admission of liability. It said it wished it had "done more" to investigate claims about Cambridge Analytica when they were first made in 2015.
"We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people's information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information," said Harry Kinmonth, director and associate general counsel for Facebook.
"The ICO welcomes the agreement reached with Facebook for the withdrawal of their appeal against our Monetary Penalty Notice and agreement to pay the fine," said James Dipple-Johnstone, deputy commissioner of the ICO.
"The ICO's main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy," he added.
Up to 87 million Facebook users were impacted by the Cambridge Analytica incident, which saw data collected from a personality test being shared with companies for the purposes of voter profiling ahead of elections.
MORE ON CYBER SECURITY
- UK gov't seizes documents Facebook wanted to keep private in Cambridge Analytica battle
- Election tech: The truth about Cambridge Analytica's political big data TechRepublic
- Facebook promises action on 2020 US election fraud, wipes out fake networks from Russia, Iran
- Chris Wylie: Blowing the whistle on Cambridge Analytica? Worth it CNET
- Cambridge Analytica: The bad poster-child for data misuse