Five months after the implementation of the GDPR the ICO announced that Facebook was to be fined £500,000 under previous UK data protection legislation for its part in the Cambridge Analytica scandal. In its report, the ICO concluded that Facebook had committed two breaches under the Data Protection Act 1998 (‘DPA 1998’), arguing that the company had failed to safeguard people’s information and be transparent about how people’s data was collected by third parties.
Following the Cambridge Analytica scandal last year, Facebook’s share price collapsed after the number of Facebook users in Europe fell from 282 million to 279 million. More than £90.8b was wiped off its market value after investors were told that the number of Facebook users had dropped since the scandal was made public. In January this year Cambridge Analytica, also known as SCL Elections Ltd, was fined £15,000 for failing to comply with an enforcement notice issued by the ICO. The enforcement notice was issued to the company after it failed to comply with a subject access request made by a US based academic in 2017.
On 21 January 2019 CNIL, the French data protection regulator, issued Google with a 55 million euro fine for failing to provide transparent information to data subjects and for having no legal basis for processing personal information in respect of its personalised adverts function. The fine was the first major financial fine to be imposed under the GDPR and it certainly won’t be the last.
In September last year, the Irish Data Protection Commission announced it was launching a formal investigation into a data breach that affected more than 50m Facebook accounts. The Commission said that the investigation would examine Facebook’s compliance with new data protection legislation and risk being faced with a billion-euro fine under the new laws. The Digital, Culture, Media and Sport Select Committee (the “DCMS Select Committee“) published its final report in February 2019, criticising Facebook’s data practice and has called for the ICO to carry out a detailed investigation into the practices of the social media platform. The investigation is to include looking at the use of users’ data and users’ friends’ data, and the use of ‘reciprocity’ of the sharing of data.
Organisations that receive these larger fines under Article 83 of the GDPR must also now contend with reputational fallout given the extended powers of the ICO, namely their ability to name and shame. We are seeing how influential the media can be in reporting on breaches of this nature and how important it is for organisations like Facebook and Google to have robust procedures in place to mitigate risks to people’s personal data and review current procedures on a regular basis. It serves as a reminder that organisations will need to be transparent about the processing of people’s data but also respect the privacy that people are entitled to. Our society is becoming increasingly data driven, and in the wake of investigations like the ICO’s investigation into the use of data analytics in political campaigns, we are reminded of our responsibility to learn from precedent setting cases like Google and understand what we can do to reduce the instabilities across social media platforms that lead to data breaches of this nature.