The information Commissioner’s Office (ICO) have announced they are intending to fine Facebook, £500,000, the maximum that is allowed for data breaches under the Data Protection Act.
The ICO have said that Facebook did not make sure that Cambridge Analytica had deleted users’ information. The ICO are also pursuing an action against the now defunct parent company of Cambridge Analytica, SCL Elections.
The ICO has also been investigating political parties who buy information for electoral purposes from data brokers. One recent data breach that concerns them is a company called Emma’s Diary and another is Aggregate IQ which worked with the Vote Leave campaign in the run up to the EU Referendum and who the ICO have said must stop processing UK citizens’ data.
The fine of £500,000 is considered light given that the European Commission has imposed far greater fines in the past. In 2017, they fined Facebook 110m euros, about £95m at the time and the also fined Google £2.1b in the same year.
The ICO’s commissioner Elizabeth Denham said that companies also worried about their reputation and it was not just about the fines.
The impact of behavioural advertising, when it came to elections, was “significant” she said, and called for a code of practice to “fix the system.” She added, such a code would ensure that “elections are fair and people understand how they are being micro-targeted.”
Whilst Cambridge Analytica insisted it had deleted the data after Facebook asked them to in December 2015, the ICO said it had evidence that this was not the case.
“This potentially brings into question the accuracy of the deletion certificates provided to Facebook,” said an ICO spokesperson.
Facebook, according to the ICO had been the biggest recipient of digital advertising by political parties and campaigns to date. They also said Facebook had not explained to its members how sensitive information was being targeted or how it was being used. This could also see Facebook being in a second breach of the Data Protection Act
Facebook has a chance to respond to the Commissioner’s Notice of Intent, after which a final decision will be made.
The tech firm’s chief privacy officer issued a brief response.
“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” said Erin Egan.
“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”