Britain’s data protection watchdog intends to fine Facebook £500,000 for failing to safeguard users’ information – the maximum amount it can levy.
The Information Commissioner’s Office (ICO) said the social media giant also broke the law by neglecting to be transparent about how the data was harvested by others.
The ICO proposes to bring criminal action against SCL Elections, the parent company of Cambridge Analytica (CA).
Although the size of the fine is a record for the ICO, campaigners said under new data laws, the penalty could have totalled hundreds of millions of pounds.
In March, Channel 4 News, in co-ordination with the New York Times and the Observer, revealed that the data of 50 million Facebook users around the world had been harvested. The total is now estimated at 87 million, the ICO said.
The regulator also announced a criminal prosecution of SCL Elections for allegedly failing to comply with an enforcement notice. The ICO had ordered the company to allow an academic to access the data it held. SCL Elections was liquidated in the wake of the scandal.
Other action taken by the ICO includes warning letters to 11 political parties and notices compelling them to agree to audits of their data protection practices.
Information Commissioner Elizabeth Denham said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.”
The next phase of the ICO’s work is expected to be finished by the end of October.
Damian Collins, chair of the Commons media select committee, said: “Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way. This cannot by left to a secret internal investigation at Facebook.”
Erin Egan, chief privacy officer at Facebook, said: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”
Whistleblower Christopher Wylie said on Twitter: “Months ago, I reported Facebook and Cambridge Analytica to the UK authorities. Based on that evidence, Facebook is today being issued with the maximum fine allowed under British law.”
The ICO can only fine Facebook a maximum £500,000 because the breaches happened in 2013-14, before new general data protection regulation (GDPR) laws were introduced.
Kyle Taylor, director of Fair Vote UK, said: “Under new GDPR (general data protection regulation) laws, the ICO could fine Facebook for £479 million. Unfortunately, because they had to follow old data protection laws, they were only able to fine them the maximum of £500,000. This is unacceptable.”