The Information Commissioner’s Office, the privacy regulator in the U.K., is threatening Facebook with its maximum penalty over the Cambridge Analytica user data scandal, but the punishment would be far more symbolic than it would be damaging.
The maximum fine that can be levied by the ICO is 500,000 pounds, or approximately $662.5 million, which Bloomberg pointed out is less than 1 percent of the $114 million Facebook generated daily in 2017.
Violations of the European Union’s recently enacted General Data Protection Regulation can result in fines of up to 4 percent of a company’s annual sales—Bloomberg’s report noted that Facebook’s 2017 revenue of $40.65 billion would mean a maximum fine of some $1.6 billion—but those rules only apply to violations starting May 25, when GDPR went into effect.
The ICO released its initial findings in a probe that examined about 30 organizations, including Facebook and other social networks, and Information Commissioner Elizabeth Denham said the fine “sends a clear signal that I consider this a significant issue, especially when you look at the scale and the impact of this kind of data breach,” according to Bloomberg.
“Facebook has failed to provide the kinds of protections it is required to do under data protection laws,” she said.
Facebook will have an opportunity to respond to the ICO before any punishment is levied. Chief privacy officer Erin Egan said in a statement: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in its investigation of Cambridge Analytica, just as we have with authorities in the U.S. and other countries. We’re reviewing the report and will respond to the ICO soon.”
A source familiar with inquiries by government agencies told CNNMoney that the U.S. Securities and Exchange Commission is examining the timing of Facebook’s disclosure of the Cambridge Analytica user data issues to investors, while the Federal Trade Commission is investigating whether the transfer of that data violated a 2011 consent decree that governs how Facebook is permitted to use consumer information.
Damian Collins, chair of the U.K. parliamentary committee that is investigating online disinformation, said in a statement: “Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other applications that ran on its platform may have scraped data in a similar way. This cannot be left to a secret internal investigation at Facebook.”
He continued, “Facebook users will be rightly concerned that the company left their data far too vulnerable to being collected without their consent by developers working on behalf of companies like Cambridge Analytica. The number of Facebook users affected by this kind of data scraping may be far greater than has currently been acknowledged. Facebook should now make the results of its internal investigations known to the ICO, our committee and other relevant investigatory authorities.”