The UK’s data watchdog has levied the maximum possible fine against Facebook for its failure to protect user’s personal information in the Cambridge Analytica scandal.

The fine is just £500,000 ($644,000), a small fee for a company that posted $13.2 billion in revenue in the last quarter alone. But the figure was calculated using the UK’s outdated 1998 Data Protection Act, and regulators say it would have been “significantly higher” under the EU’s new GDPR regulations, which came into force in the UK in May.

“We considered these contraventions to be so serious we imposed the maximum penalty.”

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation,” said Elizabeth Denham, head of the Information Commissioner’s Office (ICO). “The fine would inevitably have been significantly higher under the GDPR.”

The ICO’s plans to levy the maximum possible fine were first reported in July, but the fee is now official. Under GDPR, the maximum fine would have been £17 million ($22 million) or 4 percent of Facebook’s global turnover.

In a press statement, the ICO said Facebook failed to make “suitable checks on apps and developers using its platform” and keep users’ personal data safe. This meant that developer Aleksandr Kogan and his company GSR was able to harvest “the Facebook data of up to 87 million people worldwide, without their knowledge.”

A subset of this data was later shared with other groups, including Cambridge Analytica. The political consultancy group (which shut down in May) played an important role in Donald Trump’s 2016 presidential run as well as pro-Brexit campaigns in the UK. The ICO will give further evidence on the use of this data for political persuasion to the UK government in November.