Facebook’s failure to ensure that Cambridge Analytica had deleted user data will cost it £500,000 ($663,306), according to the U.K.’s Information Commissioner’s Office, which also intends to open a criminal case against the data analytics firm.
The social media giant seemed resigned to taking its medicine. “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” Facebook Chief Privacy Officer Erin Egan said in a statement. “We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries.”
Egan said Facebook is “reviewing the report and will respond to the ICO soon.”
An app developed by Cambridge University professor Aleksandr Kogan called thisisyourdigitallife harvested data for the firm, owned in part by hedge fund operator Robert Mercer and once led by former White House adviser Steve Bannon. About 270,000 Facebook users signed up to take a paid personality test through the app. Their data and that of their friends, counting in the millions, was passed along to Cambridge Analytica.
“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons,” whistleblower Christopher Wylie, who worked closely with Kogan, said as the scandal broke. “That was the basis the entire company was built on.”
By passing along information from users who had not given permission to a third party and then also not properly deleting that data, Facebook said Kogan and Cambridge Analytica broke its rules. The entire debacle brought intense scrutiny to the data collection and sharing practices of Facebook and other social media firms.
Calling the fine “a salutary lesson to companies operating within the European region,” Christopher Littlejohns, EMEA manager at Synopsys, said, “The underlying contraventions are considered by regulatory authorities to be on the top end of the scale of violations of data privacy.”
If a “similarly grave issue” should occur now, Littlejohns said, “fines within the new GDPR regime could easily cost Facebook hundreds of millions of dollars of revenue.”
Those large fines could “significantly affect operating margin, and ultimately share prices of large companies,” he said, explaining that “personal data collectors and aggregators are particularly at risk to these issues, due to the scale and value of the data they collect; and consequently should be extremely vigilant and diligent in their custodianship of such data.”
He urged companies to “undertake effective risk analysis, data privacy management, ongoing diligence, and open communication with users and authorities when breaches occur” or “potentially face severe business impediments at best, and existential threats at worst.”
The ICO, worried, too, according to a BBC report, that the U.K.’s 11 main political parties may have procured from data brokers lifestyle information on citizens without their permission and has beseeched them to review their data protection measures.