Facebook hit with $645,000 fine in UK over Cambridge Analytica scandal

The penalty is a fraction of the amount the company could have faced had a new EU law been in effect.

Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture, Video Games, Breaking News
Sean Keane
2 min read

Facebook was fined in the UK.

Joel Saget / AFP/ Getty Images

The UK Information Commissioner's Office followed through with its plan to fine Facebook £500,000 ($645,000 or AU$912,000) over the harvesting of users' data.

The agency said in its penalty notice that data from at least 1 million British users was "unfairly processed" and that Facebook "failed to take appropriate technical and organisational measures" against that happening.

The fine, tied to the Cambridge Analytica scandal, is the maximum amount allowed under the Data Protection Act 1998. The ICO issued the preliminary fine in July.

Inside Facebook's election war room

See all photos

"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better," Elizabeth Denham, the information commissioner, said in a statement.

"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR."

Facebook noted that it's reviewing the decision, highlighting the previous admission that it "should have done more" to probe the Cambridge Analytica claims in 2015.

"We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica," a Facebook spokesperson said in an emailed statement.

"Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received."

The fine is indeed a fraction of the amount Facebook could have faced if the General Data Protection Regulation -- the EU law that gives citizens more control over their personal data -- had been in effect. The GDPR would've allowed for a maximum fine of 20 million euros or 4 percent of a company's annual global revenue from the year before, whichever is higher.

Watch this: Apple, Facebook support more privacy laws

The social media giant's annual revenue in 2017 was nearly $40 billion, which would have meant a possible fine of $1.6 billion under the GDPR rules.

The ICO didn't immediately respond to a request for further comment.

Erin Egan, Facebook's chief privacy officer, said at a privacy conference Wednesday at the European Parliament in Brussels that the company would support comprehensive federal privacy regulation in the US.

First published Oct. 25, 2:10 a.m. PT.
Update, 3:37 a.m. PT: Added new Facebook statement, with a line about Cambridge Analytica servers. Update, 9:30 a.m. PT: Added ICO statement.

The Honeymoon Is Over: Everything you need to know about why tech is under Washington's microscope.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.