LONDON — Its more bad news for Facebook.
The social networking giant faces a fine of a half a million pounds in Britain for failing to protect peoples online data connected to the Cambridge Analytica scandal, according to a report published by the countrys privacy watchdog on Wednesday. The financial penalty would represent the first levy worldwide against the tech giant for its role in the alleged abuse.
As part of an ongoing investigation into the use of data by political groups, Elizabeth Denham, the U.K.s Information Commissioner, or ICO, said Facebook broke the countrys data protection rules by making users information available to a third-party app linked to Cambridge Analytica, a data analytics firm. Facebook also was not transparent about how peoples digital information would then be used by these companies, particularly in relation to political campaigns.
“Facebook has failed to provide the protections required under data protection laws,” Denham told reporters ahead of the reports publication. The £500,000 fine, which is the largest financial penalty the regulator can levy, “sends a clear signal that I consider this as a significant issue if you look at the impact of the data breach,” she added.
The fine is a mere rounding error compared to Facebooks $5.9 billion profit in the first three months of 2018. If the abuse had occurred under Europes new privacy standards, which came into force on May 25, the company could have been subject to potentially hundreds of millions of dollars in financial penalties.
In response, Facebook said it had taken steps against Cambridge Analytica in 2015 to shut down inappropriate collection of data, and that it is working with U.K. and other countries authorities in ongoing investigations around the world.
“Were reviewing the report and will respond to the ICO soon,” said Erin Egan, the companys chief privacy officer. Facebook has the right to respond to the regulators fine before a final decision is made in the case.
Damian Collins, the British lawmaker leading a parliamentary investigation into the political use of data, said Facebook should provide more information on other third-party apps that also may have harvested peoples data without their knowledge.
“If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed,” he said. Collins parliamentary committee will publish its own report later this month on online misinformation and data use in political campaigns.
Brexit campaign probe
The social networking giant was not the only one on Wednesday to come under scrutiny by the British regulator, which began its investigation into the use of data in political campaigns early last year, focusing on the potential misuse of personal information during the 2016 Brexit referendum.
Over the last 18 months, roughly 40 investigators have progressively extended that probe into other political uses of peoples online data, including revelations earlier this year that a third-party app developer with ties to Cambridge Analytica inappropriately collected data on up to 87 million Facebook users worldwide.
The regulators final report, including whether data was misused in the Brexit referendum, will be published in October. So far, officials have not stated publicly if either side of the 2016 vote has broken the countrys privacy rules.
As part of its announcement Wednesday, the U.K. watchdog said it had begun a criminal prosecution of SCL Elections, another data analytics firm with ties to Cambridge Analytica, over claims that it had not handed over evidence related to a potential misuse of data.
Earlier this year, both SCL Elections and Cambridge Analytica filed for bankruptcy. The companies have denied that they misused peoples Facebook data to sway either the Brexit referendum, 2016 U.S. presidential election or other campaigns worldwide. AggregateIQ, another data firm with ties to Cambridge Analytica, was also ordered Wednesday to stop processing data it held on U.K. citizens.
“The Facebook-Cambridge Analytica conundrum has created a lot of open investigations into data protection and electoral law,” said David Carroll, an American professor whose requests for information from the data analytics firm led to the U.K. regulators actions against SCL Elections on Wednesday. “Its been remarkable that the U.K. has provided jurisdiction for a U.S. citizen.”
The British watchdog also sent letters to the countrys main political parties to demand that they submit to an audit of their data practices, according to the report. In recent years, lawmakers have turned to social media platforms to target potential voters, and the U.K. regulator is concerned that some of their data-harvesting tactics may be unlawful.
In particular, at least two British political parties used data software to predict voters ethnicity. The watchdog did not name which groups had carried out such practices.
“The engagement of political parties is important,” said Steve Wood, the ICOs deputy commissioner. “Its in their interest to take this seriously.”
The regulator added that it is in the final stages of determining whether Vote Leave, the official group leading the campaign to leave the European Union, broke U.K. privacy rules by transferring data outside of the country. A decision on whether to take legal action in that case would be made by October, according to the watchdog.
Other data investigations into Leave.eu, another campaign group, and into parties connected to keeping the U.K. inside the EU during the Brexit referendum are ongoing. Denham said it would be difficult to prove categorically that peoples data had been misused to sway voters during the 2016 vote.
“Its the most important investigation that the ICO has ever undertaken,” said Denham, in reference to the final conclusions to be published in October. “Its an important moment for data protection.”