Further fines for Facebook?

The Information Commissioner’s Office (ICO) has announced that it intends to fine Facebook £500,000 for data breaches.

This is the first time the ICO has said it will issue the maximum fine available to it under the Data Protection Act 1998, which only goes to show the significance and potential impact to consumer privacy the regulator believes is involved in this case.

The news of the intention to fine Facebook comes from a detailed update from the regulator on its ongoing investigation into the use of data analytics in political campaigns, so while there may some time to go until the penalties are finalised the intent from the ICO is clear.

The ICO found Facebook had breached its own rules and failed to make sure Cambridge Analytica had deleted this personal data. The ICO will also bring a criminal action against Cambridge Analytica's defunct parent company SCL Elections.

“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act,” said Elizabeth Denham, the information commissioner. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”

When discussing the ICO’s announcement Rachel Aldighieiri, MD of the DMA said, “It’s encouraging to see the ICO is not allowing Cambridge Analytica, and its associated businesses, to avoid justice through insolvency and it will be holding the senior management of these businesses accountable.”

The fine is modest compared with previous sanctions on Facebook. In 2017 it was fined 110m euros (£95m) by the European Commission, which in the same year also fined Google for 2.42bn euros (£2.1bn).

The potential impact of data breaches and privacy concerns like this go far beyond the monetary penalties, the long-term effects on customer trust, share price and public perception of breaking the law could be even more damaging in the long run. Elizabeth Denham has supported this view and believes companies should also be just as worried about reputational damage.

Under the new GDPR regulations, brought into UK law in the recent Data Protection Act 2018 that came into force on 25 May, the penalties available to the ICO could have been even more severe – 4% of an organisation’s global annual turnover or €20m, whichever is higher.

All businesses must be upfront and transparent about how they collect and use their customers’ data. The benefits of sharing data must also be clear and the consumers must be in control.

Recent DMA research supports this. The DMA’s ‘Data privacy: What the consumer really thinks’ report found 88% of people in the UK want more transparency around how their data is used. The DMA also outline how businesses can do this in the DMA Code, which calls for all DMA UK members to be accountable for how they use personal data.

This is a key challenge that all businesses need to address if they are to build trust with consumers and long-term relationships that can be mutually beneficial to both businesses and their customers.