ICO confirms Facebook’s £500,000 fine and is to give evidence in Parliament on political influencing
The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law in the context of its wide-ranging investigation into the use of data analytics for political purposes.
The company’s representations did not affect the level of the ICO’s initial proposed fine. Information Commissioner, Elizabeth Denham said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
As the contravention relates to processing under the 1998 DP Act, this is the maximum fine available. Had the ICO been able to fine under the GDPR, the fine would have been considerably bigger.
Speaking in Brussels yesterday, Denham said that she will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee on 6 November. The ICO will then issue more information on their findings.
So far, it is clear that lessons have been learned in terms of organising such a large-scale investigation. Some 60-70 members of ICO staff have been involved in this investigation which has the primary focus on 31 organisations. The ICO has been cooperating with law enforcement agencies, the Electoral Commission and many others. Now that these lines of cooperation and information exchange have been established, it will be easier to conduct a similar investigation in the future.
Denham said that in any future work, the ICO will look at the whole ecosystem and not just one company, or just social media. She said that the ICO would continue to look at political campaigning, and audit some data brokers and political parties.
James Dipple-Johnstone, Deputy Commissioner (Operations) said that the investigation has been a challenge but there is a huge amount of learning they will share with other DPAs. Steve Wood, Deputy Commissioner (Policy), added that the ICO’s policy approach will be to enforce the law but equally fulfil its ethical duty to see where there are gaps in the law, and ensure that these are addressed in the future. The ICO is therefore recommending a statutory code of practice to guide the use of personal data in political campaigning.
See the ICO’s interim report, Democracy disrupted, published in July 2018.
PL&B is conducting a survey on organisations’ experience with the UK Data Protection Act 2018, click here to take the survey and win a free day at a PL&B event!