LONDON (Reuters) – Britain’s information regulator slapped Facebook with a small but symbolic fine for breaches of data protection law after millions of users’ data was improperly accessed by consultancy Cambridge Analytica.
The 500,000 pound ($663,850) fine is less than 10 minutes worth of revenue for the social media firm worth $590 billion, whose shares were unchanged, but is the maximum amount allowed and represents the first move by a regulator to punish Facebook for the Cambridge Analytica controversy.
Facebook CEO Mark Zuckerberg has faced questioning by U.S. and EU lawmakers over how the political consultancy obtained the personal data of 87 million Facebook users from a researcher. The company has promised to introduce reforms to its policies before local elections in Britain next year.
Information Commissioner Elizabeth Denham said Facebook had broken the law by failing to safeguard people’s information and had not been transparent about how data was harvested by others on its platform.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law,” she said in a statement.
Facebook said it was reviewing the report and would respond soon. It can respond to the Information Commissioner’s Office (ICO) before a final decision on a fine is made.
“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” Erin Egan, Facebook’s Chief Privacy Officer, said in a statement, adding it was working closely with the ICO and authorities in the United States and other countries on investigations into the consultancy.
The fine is the maximum allowed under Britain’s old data protection law, although that was replaced by the European Union’s General Data Protection Regulation (GDPR) in May, where companies can be fined up to 4 percent of revenue for breaches.
Charity Privacy International said that regulators were getting tougher on Facebook.
“Regulators have and are using their teeth. And as Facebook needs no reminding, under the EU’s data protection law GDPR, regulators have much bigger and more significant powers, as well as the ability to issue far larger fines,” said Frederike Kaltheuner, data exploitation program lead at the charity.
The U.S. Federal Trade Commission is still investigating Facebook, and is yet to penalize the company.
British lawmakers have launched an inquiry into “fake news” and its effect on election campaigns, and have increasingly focused on Cambridge Analytica. The ICO said it was providing the interim report to help that inquiry.
“Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way,” Damian Collins, chair of the parliamentary inquiry, said.
Cambridge Analytica, which was hired by Donald Trump in 2016, has denied its work on the U.S. president’s successful election campaign made use of data.
It has also said that, while it pitched for work with campaign group Leave.EU before the Brexit referendum in Britain in 2016, it did not end up doing any work on the campaign.
The ICO’s report said other regulatory action would include a criminal prosecution against Cambridge Analytica’s parent firm, SCL Elections, for failing to deal with the regulator’s enforcement notice.
It also said it would send warning letters to 11 political parties to compel them to audit their data protection practices.
It said it was investigating both leave and remain campaigners in the referendum, and that it had issued an enforcement notice for AIQ, a data firm that worked for official Brexit campaign Vote Leave, to stop processing retained data from British citizens.
David Carroll, an academic who is attempting to recover his data from Cambridge Analytica, said the report strengthened his legal challenge.
“Our day in British court may be within reach,” he told Reuters in an email.
“The fines may seem like rounding errors for Facebook … But if American voters can somehow recover and repatriate our complete voter profiles then democracies will have won the day against dark data.”
Additional reporting by Douglas Busvine, Guy Faulconbridge and Supantha Mukherjee; editing by Stephen Addison, Alexandra Hudson and Adrian Croft