Facebook agrees to pay £500,000 ICO fine

Facebook has finally agreed to pay a 500,000 fine issued by the Information Commissioner's Office under the Data Protection Act 1998.

The two organisations came to an agreement to end respective appeals, but Facebook will not make any admission of liability in relation to the monetary penalty notice.

Following an investigation, the ICO fined Facebook under section 55A of the DPA 1998, accusing the social network of failings relating the Cambridge Analytica scandal. Facebook, however, appealed the fine arguing that there was "no evidence" that UK users' data was inappropriately shared with the third-party company.

In June, the First Tier Tribunal issued an interim decision, halting parts of the investigation and called on the ICO to disclose all materials relating to its decision-making process regarding the fine. The ICO appealed this in September, but had to wait for this agreement to continue its full investigation.

"The ICO welcomes the agreement reached with Facebook for the withdrawal of their appeal against our Monetary Penalty Notice and agreement to pay the fine," said deputy commissioner James Dipple-Johnstone. "The ICO's main concern was that UK citizen data was exposed to a serious risk of harm.

"We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people's personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case."

Speaking on behave of Facebook, its director and associate general counsel, Harry Kinmonth said the company wish it had done more to investigate claims about Cambridge Analytica in 2015.

"The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr Kogan," he said. "However, we look forward to continuing to cooperate with the ICO's wider and ongoing investigation into the use of data analytics for political purposes."

22/11/2018: Facebook appeals 500k ICO fine over 'lack of evidence' that UK users were affected

Facebook has appealed a 500,000 fine levied by the UK's data watchdog, arguing that there is "no evidence" that UK users' data was inappropriately shared with Cambridge Analytica.

Information Commissioner Elizabeth Denham revealed last month that the ICO would be issuing Facebook the maximum fine allowed under the Data Protection Act 1998 after the discovery of "serious" breaches of data regulations, including a lack of oversight over how much access developers had to user data.

The Information Commissioner's Office (ICO) found Facebook improperly processed user data by giving third-party app developers access to profiles without consent.

Cambridge Analytica, the company at the heart of an international data-sharing scandal, illicitly harvested millions of users' details without their knowledge for use in political campaigning. Independent developer Dr Aleksander Kogan, also subject to the ICO investigation, is said to have harvested 87 million profiles and shared a significant portion of these with Cambridge Analytica's parent company SLC Group.

Regulators have independently ruled the now-defunct Cambridge Analytica misused users data for microtargeting in political campaigns, including the 2016 US presidential race, and the UK's 2017 EU referendum.

Facebook decided to appeal this decision on the final day of the 28-day limit organisations are given, citing a lack of evidence that data belonging to UK users was shared with Dr Kogan, or Cambridge Analytica.

"The ICO's investigation stemmed from concerns that UK citizens' data may have been impacted by Cambridge Analytica," said Facebook's VP and associate general counsel for EMEA Anna Benckert.

"Yet they now have confirmed that they have found no evidence to suggest that information of Facebook users in the UK was ever shared by Dr Kogan with Cambridge Analytica, or used by its affiliates in the Brexit referendum.

"Therefore, the core of the ICO's argument no longer relates to the events involving Cambridge Analytica. Instead, their reasoning challenges some of the basic principles of how people should be allowed to share information online, with implications which go far beyond just Facebook, which is why we have chosen to appeal."

Benckert then likened the investigation against Facebook to chasing people down for forwarding an email or message without having agreement from each person in the original thread. She claimed this is done by millions of people every day across the internet.

"Any organisation issued with a monetary penalty notice by the Information Commissioner has the right to appeal the decision to the First-tier Tribunal. The progression of any appeal is a matter for the tribunal," an ICO spokesperson told IT Pro.

Organisations hit with a regulatory notice, whether a fine or otherwise, have a right to appeal the decision to an independent tribunal. Firms can say whether they prefer this to be decided remotely, or in-person.

At the most recent tribunal hearing concerning data protection, the ICO was ordered to reverse a 60,000 fine issued to STS Commercial Ltd. The data regulator issued the penalty in early July for violations of the DPA 2018 after the firm allegedly allowed its lines to be used to send spam texts.

No date has been set for Facebook's tribunal hearing, however, based on previous cases, it's likely it could be at least a few months before the appeal is considered.