Facebook earns £500,000 every 8 minutes.
On Tuesday, July 10, the United Kingdom’s Information Commissioner’s Office issued its Facebook Cambridge Analytica Fine– well, its notice to fine, at least. Facebook will potentially be fined £500,000, the maximum amount possible, for two breaches of the 1998 Data Protection Act.
The ICO is the UK’s independent regulator for data protection and information rights. It serves as the country’s Data Protection Authority under the current GDPR. And there’s the rub. Had this breach occured under the GDPR, which went into effect May 25th, it would have cost Facebook around £1.2-billion.
But, because this took place under the DPA, the precursor to the GDPR, the fines are much, much weaker. The Facebook Cambridge Analytica fine is just £500,000. The fine was announced as the ICO released its progress report, titled, “Investigation into the use of Data Analytics in Political Campaigns.” (Check back tomorrow, when we disect the report.)
Information Commissioner Elizabeth Denham said:
“We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes… New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.
Denham also added that the fines and prosecutions are meant to punish bad actors but her real goal is to restore trust and confidence to our democratic system. That’s a nice platitude, but it’s rendered even more toothless by the impotence of the penalties. That’s not to fault Denham, her – and the ICO’s – hands were tied on this one.
Fortunately, the GDPR will give DPAs like the ICO and the FTC in the USA more persuasive punitive tools.
The big question is whether it will even matter to the Facebooks and Googles of the world, both of whom have already been accused of violating the GDPR.
If you’ll remember, the Cambridge Analytica scandal blew up when its came out that a murky political organization had scraped data from over 87-million profiles using Facebook’s Graph API. The Facebook Cambridge Analytica fine was issued because Facebook failed to protect the personal information of its users.
The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.
Making the fines even more toothless, Facebook now has a chance to respond to the Commissioner’s notice of intent (to fine them), after which a final decision will be made.
Under the GDPR, this incident would have cost £1.2-billion, which sounds more substantial but in reality would only cost Facebook about two weeks worth of revenue.
And that’s the problem with all of the biggest tech companies, even the harshest fines aren’t going to be enough to substantially deter any of them from continuing to violate the GDPR.
Still, the fact the Facebook Cambridge Analytica fine was only £500,000 almost feels insulting.