Facebook suffers from the “maximum possible fine” for failing to protect users’ personal data

The data regulator for England and Wales, the Information Commissioner’s Office (ICO), announced that it has concluded its investigation into the use of data analytics for political purposes by the social media giant Facebook.

The ICO has fined the ubiquitous online platform a maximum £500,000 fine for serious violations of data protection laws.

In a statement, ICO said it has “considered representation from the company” and has “issued the fine to Facebook” – the maximum permissible under the laws applicable at the time of the incidents.

Rather luckily for Facebook, the breach occurred before the introduction of the General Data Protection Regulation (GDPR), which thankfully protected the scrutinised social platform from even greater fines.

The years between 2007 and 2017 were the focus of the ICO’s review, during which time it has been stated that Facebook has abused and disseminated the personal data of its users to third-party application developers by granting them access without allowing its users to consent to such practice.

The misuse of the aforementioned data was brought to light in December 2015, but Facebook acquiesced and continued to “not do enough” to guarantee that those app developers who retained the personal information had taken satisfactory and remedial action, including deletion.

In total, the ICO found that personal data of at least one million UK users was among “the harvested data” and “consequentially put at risk of further misuse”.

Elizabeth Denham, the UK’s Information Commissioner, commenting on the fine,  said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

The GDPR, introduced in May this year, has introduced maximum fines of either 20 million euros or four per cent of company turnover (whichever is the greater). It brings with it much stricter rules and regulations on how personal data can be used and processed.

In order to prevent risk of enforcement action from the ICO, companies should consider and implement a range of GDPR compliance policies in order to ensure compliance with the new law.

For help and advice protecting customer data and addressing potential breaches, please contact our commercial team at Mackrell Turner Garrett: maung.aye@mackrell.com

Please follow and like us:
The following two tabs change content below.
Maung Aye
Maung is a partner in our Corporate and Commercial department. He joined Mackrell Turner Garrett following corporate law positions in London and in a leading regional firm in Essex. Maung read European Legal Studies at Lancaster University and the Università degli Studi di Trento and is a fluent Italian speaker.