No admission of liability
In the lead-up to 2015 app developers harvested personal data of millions of users and their Facebook friends without their consent. The ICO found that Facebook failed to sufficiently protect user’s personal information. It levied the maximum possible penalty the ICO could impose at that time. Under new data protection laws, passed in 2018, Facebook would have faced a maximum fine of up to £17 million for the same offence. By agreeing to pay the fine, Facebook has made no admission of liability. Both Facebook and the ICO have agreed to withdraw their respective appeals. As is usually the case in such proceedings, the ICO and Facebook will each pay their own legal costs. The fine is not kept by ICO but is paid to HM Treasury’s consolidated fund.
Privacy protection a top priority
The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm. It is pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. Harry Kinmonth, Director and Associate General Counsel at Facebook commented: “As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015. We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information. The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr Kogan. We look forward to continuing to cooperate with the ICO’s wider and ongoing investigation into the use of data analytics for political purposes.”
Further investigation
As part of the agreement, Facebook will gain access to documents obtained from Cambridge Analytica, which it will use to further investigate the issue.