Facebook Slammed With Maximum UK Privacy Fine

Failings Leading to Cambridge Analytica Scandal Earn Sharp Rebuke From Regulator

Facebook's headquarters in Menlo Park, California (Photo: Facebook)

Facebook has been slammed with the maximum possible fine under U.K. law for "a very serious data incident" that exposed an estimated 87 million Facebook users' personal details.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The Information Commissioner's Office, the U.K.'s data protection authority that enforces the country's privacy laws, announced the £500,000 ($645,000) fine on Wednesday.

An investigation carried out by the ICO found that Facebook violated the country's rules on processing personal data and also "failed to take appropriate technical and organizational measures against unauthorized or unlawful processing of personal data," each of which represented a "serious contravention" of the country's data protection principles.

Facebook didn't immediately respond to a request for comment on the ICO's fine.

Steeper Fine Warranted

Previously, the only company to have been fined £500,000 by the ICO was credit bureau Equifax, for the failures that precipitated its massive 2017 data breach (see Equifax Hit With Maximum UK Privacy Fine After Mega-Breach).

But Facebook would have been hit with a greater fine if it had been possible, said Information Commissioner Elizabeth Denham.

"The commissioner considers that the amount of £500,000 is not excessive: Indeed, but for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty," the ICO says in its penalty notice (PDF).

Because the data exposure occurred before May 25 of this year, it did not fall under the EU's General Data Protection Regulation, which went into full effect on that day. Instead, it was subject to the U.K.'s 1998 Data Privacy Act.

"The key takeaway from this announcement is that this is the maximum fine allowable for the ICO to impose under the previous data protection regime," cybersecurity expert Brian Honan, who heads BH Consulting in Dublin, tells Information Security Media Group. "Under GDPR, the fines can be much larger and organizations need to take stock that regulators will not shy away from imposing large penalties on organizations in breach of the regulation."

For breaches that have spanned or occurred since that date, however, organizations handling U.K. individuals' personal data must comply with GDPR as well as the U.K.'s Data Protection Act 2018, which includes wider requirements, including additional law enforcement and security provisions.

Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($13 million) or 2 percent of annual global revenue (see: GDPR Effect: Data Protection Complaints Spike).

Data Routed to Cambridge Analytica

The ICO's investigation found that starting in November 2013, Aleksandr Kogan - a Russian-American psychology professor at the University of Cambridge - created an app called "thisisyourdigitallife," which purported to be able to predict personalities (see: Facebook Attempts to Explain Data Leak, Denies 'Breach').

Kogan was acting "both in his own capacity and by means of his company, Global Science Research Limited," the ICO says.

Users were paid to participate, and they used their Facebook credentials to log into the app. Under Facebook's data-sharing rules at the time, the app also had access to data for Facebook friends of the users who participated.

The ICO says the app was able to access users' Facebook profile - including name and gender - as well as birth dates, current cities, photographs in which users were tagged, pages they liked, posts on users' timeline, news feed posts, lists of friends, email addresses as well as Facebook messages.

Evidence suggests that the content of Facebook messages was available to the app, the ICO says. "Where the app collected data about the Facebook friends of the app's users, those friends were not informed that the app was being given access to that data and were not asked to consent to such access," the agency reports.

In April 2014, Facebook introduced changes that restricted apps' access to data, via V2 of its Graph API Platform, with those rules coming into effect by May 2015 for all existing apps, the ICO says. It says Kogan, who had claimed to Facebook that the information he was collecting was solely for research purposes, had his app reviewed by Facebook on May 6, 2014, and Facebook rejected his request to be exempt from the V2 rules.

But those rules continued to apply until May 2015 for Kogan's app, and even after that deadline, he continued to retain the "detailed information about users of their apps and their friends that they had previously collected via their apps," and Facebook "did not at that point require them to delete such data, or any of it," the ICO says.

The ICO says that of the 87 million users whose personal details were captured by the app, about 1 million appeared to be U.K.-based.

According to the ICO, Kogan and GSR shared the data with the following organizations:

Toronto Laboratory for Social Neuroscience at the University of Toronto;

Euonia Technologies Inc., a marketing company in Delaware that "may have been associated with SCL Elections Limited and Cambridge Analytica";

SCL Elections Limited, "which controls Cambridge Analytica."

Facebook didn't become aware that Kogan was using the app for commercial purposes until the Guardian published a story on the app on Dec. 11, 2015, at which point Facebook terminated the app's rights to Facebook data and launched an investigation, the ICO says.

Focus: Cambridge Analytica

Cambridge Analytica's activities were little known until early 2017, when the Guardian began examining the company's influence in political campaigns, including the referendum for the departure of the U.K. from the EU - Brexit - as well as the 2016 U.S. presidential election.

Cambridge Analytica specialized in creating powerful profiles of users based on their likes and other public data. That information was then used for targeting content to those groups that they were inclined to embrace. The company subsequently shuttered, with some executives setting up a new company under a different name (see Besieged Cambridge Analytica Shuts Down).

Facebook Failed to Enforce Policies

Before that, however, at least some of the data collected by Kogan and routed to Cambridge Analytica "is likely to have been used in connection with, or for the purposes of, political campaigns," the ICO says.

The ICO faulted Facebook for having policies in place that it failed to enforce.

"But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty [on Facebook]."

—ICO

"The Facebook companies operated a platform policy in relation to the operation of apps. However, the Facebook companies took no steps, or no sufficient steps, to ensure that the app operated consistently with the platform policy," the ICO says. Notably, Facebook failed to review the terms and conditions under which Kogan was allowed to access user data, and failed to establish "any system under which such a review would have taken place," it says.

"The key lesson for Facebook, and others, is that when you are in the business of gathering and processing the personal data of your customers you have a duty of care to those people," Honan says. "You need to ensure the proper controls are in place to prevent the misuse and abuse of that data. Policies by themselves are not stringent enough controls you need to also implement technical, procedural and human controls to support the goals of those policies."

Fresh Facebook Breach

While Facebook's Cambridge Analytica data scandal occurred before GDPR took effect, the social network's security team on Sept. 25 detected a massive breach that does fall under the EU's new privacy law, and which may thus prove to be the first major breach to fall under GDPR (see: Facebook Eyes Spammers for Mega-Breach).

On Oct. 12, Facebook said that 30 million people were affected by its breach and had their personal data exposed, and it said 10 percent of the breach victims are European.

Facebook, which has its European operations based in Dublin, has notified the Data Protection Commission's - Ireland's data protection authority, which enforces GDPR - about the breach (see: Facebook Submits GDPR Breach Notification to Irish Watchdog).

"The Data Protection Commission's statutory investigation into the breach and Facebook's compliance with its obligations under the GDPR continues," the DPC tells ISMG.

One-Stop Shop

Under GDPR, non-EU organizations that have headquarters established in Europe can avail of what's known as the one-stop-shop mechanism. This enables organizations that engage in cross-border data processing and which have a presence across different EU member states to be subject to regulatory oversight by just one supervisory authority, rather than being subject to regulation by the supervisory authorities of each EU member state in which they have a business presence. The supervisory authority in the member state of the organization's "main establishment" takes on the role of lead supervisory authority.

The DPC says that under the GDPR, it's the lead supervisory authority for the EU operations of Facebook, Microsoft, Twitter, and soon, Google.

The ICO says it's also probing the recent Facebook breach.

"We will be making inquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any U.K. citizens have been affected," says James Dipple-Johnstone, the ICO's deputy commissioner of operations. "It's always the company's responsibility to identify when U.K. citizens have been affected as part of a data breach and take steps to reduce any harm to consumers."

This story has been updated to explain how the one-stop mechanism works.