The Information Commissioner’s Office is set to fine Facebook £500,000 for failing to safeguard users’ personal data. It follows an investigation prompted largely by reporting in the Observer.
The ICO said today that it believes Facebook breached the Data Protection Act 1998 twice, by failing to safeguard people’s information and failing to be transparent about how its users’ data was being harvested.
The social media giant and UK data firm Cambridge Analytica have been the focus of the ICO’s investigation since March when the Observer, Channel News and the New York Times exposed claims of data mishandling.
The Observer’s Carole Cadwalladr led on an interview with whistleblower Christopher Wylie who revealed a personality quiz app had been used to harvest the data of 50m Facebook users, including those in the UK.
The number of Facebook users affected is now estimated at 87m.
Information Commissioner Elizabeth Denham said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.
She added: “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
The Digital, Culture, Media and Sport Select Committee has questioned senior figures from Facebook and Cambridge Analytica during its ongoing inquiry into fake news, and will release its own interim report into data misuse in political campaigns later this month.
Committee chairman Damian Collins said today: “Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way.
“This cannot by left to a secret internal investigation at Facebook. If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.
“Facebook users will be rightly concerned that the company left their data far too vulnerable to being collected without their consent by developers working on behalf of companies like Cambridge Analytica.
“The number of Facebook users affected by this kind of data scraping may be far greater than has currently been acknowledged. Facebook should now make the results of their internal investigations known to the ICO, our committee and other relevant investigatory authorities.”
Facebook has said it only found out about the data breach issue after a report by Harry Davies in the Guardian in December 2015 revealed Cambridge Analytica had “hoovered” up personal data from Facebook to boost US presidential candidate Ted Cruz’s election campaign.
However Collins said: “The company has consistently failed to answer the questions from our committee as to who at Facebook was informed about it.
“They say that [Facebook founder] Mark Zuckerberg did not know about it until it was reported in the press this year.
“In which case, given that it concerns a breach of the law, they should state who was the most senior person in the company to know, why they decided people like Mark Zuckerberg didn’t need to know, and why they didn’t inform users at the time about the data breach.
“Facebook need to provide answers on these important points. These important issues would have remained hidden, were it not for people speaking out about them. Facebook’s response during our inquiry has been consistently slow and unsatisfactory.”
The ICO began looking into whether personal data had been misused by campaigns on both sides of the EU referendum in March 2017, soon after a report in the Observer examining the links between US billionaire Robert Mercer, US President Donald Trump, former UKIP leader Nigel Farage, the Leave campaign and Cambridge Analytica.
The Observer article remains the subject of a legal complaint by Cambridge Analytica and parent company SCL Elections.
In response to the ICO’s threat of a fine, Cadwalladr tweeted last night praising her “colleagues, editors & lawyers on the Observer who brung it”.
“The oldest Sunday newspaper in the world. Sticking it to the man,” she said.
Sharing the link to her story from February 2017, she added: “This is what spurred the ICO to action, a year before Cambridge Analytica burst onto global stage.
“But it was built on collective work of journalists, academics and o/s investigators.”
The ICO’s interim report also said it was sending warning letters to 11 UK political parties with notices compelling them to agree to audits of their data protection practices.
Among other regulatory action, it will also commence a criminal prosecution for SCL Elections for failing to properly deal with the ICO’s enforcement notice.
Facebook has a chance to respond to the ICO’s notice of intent to fine it the maximum amount possible before a final decision is made later this year.