Facebook must pay UK's ICO £500,000 over Cambridge Analytica scandal

The fine has now been imposed and is final, but it could have been far worse.

Facebook has been formally fined £500,000 by the UK's Information Commissioner's Office (ICO) over its role in the Cambridge Analytica scandal.

On Thursday, the ICO said the fine is now final and cannot be changed.

The fine has been imposed in connection to a data-sharing scandal which led to the abuse of data belonging to up to 87 million users in the UK, US, and beyond.

The ICO's investigation found that between 2007 and 2014, Facebook permitted the "unfair" sharing of user data with developers without "clear and informed consent."

Cambridge Analytica was able to access the data of users without their consent for the purpose of voter profiling.

TechRepublic: Pennsylvania elections bring back paper ballots to improve security and auditability

During the scandal, it came to light that you would only need to be friends with someone who had used the firm's quiz app to have your information shared.

"Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform," the UK regulator said. "Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion."

See also: If Facebook worked we wouldn't be in this mess | Trump-linked data firm Cambridge Analytica harvested data on 50 million Facebook profiles to help target voters | Data breach exposes Cambridge Analytica's data mining tools | How Cambridge Analytica used your Facebook data to help elect Trump | Cambridge Analytica: The future of political data is in the enterprise | Cambridge Analytica: 'We know what you want before you want it' | Election tech: The truth about the impact of political big data

The ICO said in July that in addition to the fine, the regulator plans to launch a criminal prosecution against SCL Elections Ltd, Cambridge Analytica's now-defunct parent company, after failing to work with the ICO during its investigation into the scandal.

The fine is the maximum which can be imposed under the UK's old data protection rules, the Data Protection Act 1998.

CNET: Cathay Pacific breach leaks personal data on 9.4 million people

The ICO has only been able to issue a fine under the DPA as the breach occurred before May 25, 2018, the day that the EU's General Data Protection Regulation came into force.

Under the new rules, however, any new breaches can result in companies being fined up to €20 million, or 4 percent of annual global turnover -- whichever is higher.

Facebook recently suffered a fresh data breach after threat actors were able to steal authentication tokens belonging to roughly 30 million accounts. In some cases, names, contact details, gender, relationship status, religion, city, dates of birth, and more were stolen.

If this latest security incident is found to have compromised sensitive data belonging to UK citizens, the company could, once again, find itself on the ICO's radar.

"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data," said Elizabeth Denham, the UK's Information Commissioner. "A company of its size and expertise should have known better and it should have done better. We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR."

See also: Facebook approaches major cybersecurity firms, acquisition goals in mind

A Facebook spokesperson told ZDNet:

"We are currently reviewing the ICO's decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.

We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica.

Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received."

Previous and related coverage