Facebook has been issued with a maximum fine of £500,000 for breaches relating to the Cambridge Analytica scandal, Britain’s data watchdog has said.
The social network processed the personal information of users unfairly by allowing app developers access to their details without clear consent, an investigation by the Information Commissioner’s Office (ICO) found.
Facebook allowed access even if users had not downloaded the app, but were simply ‘friends’ with people who had. This lasted for seven years, until 2014.
The firm’s attempt to persuade the Information Commissioner’s Office to reduce the penalty was unsuccessful.
Announcing the ruling, Information Commissioner Elizabeth Denham said Facebook should have “known better”.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data,” Denham said on Thursday. “A company of its size and expertise should have known better and it should have done better.”
Cambridge Analytica, which worked with private companies and political campaigns to devise digital communications, was exposed by an investigation by the Observer and Channel 4 News earlier this year.
The newspaper and broadcaster found evidence that the firm had exploited a loophole in Facebook’s data policies to extract the personal information of millions via an app which appeared as a fun quiz.
Cambridge Analytica shut down in May following the exposé.
A spokesperson for Facebook said in a statement: “We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
“We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.
“Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”
Thursday’s fine was issued under Data Protection Act 1998 as the breach occurred before the introduction of new legislation.
A new Data Protection Act was introduced in May this year alongside the General Data Protection Regulation (GDPR). Under these a company can be fined up to £17 million or 4% of global turnover.
Last year, Facebook had global turnover of £31.5 billion ($40.7bn).
The ICO’s fine will be the first issue affecting Facebook’s reputation to be handled by former Liberal Democrat leader Nick Clegg in his new role as the social network’s head of global affairs and communications.