ICO fines Facebook £500,000 for breaches of data protection law

The ICO have issued a fine of £500,000 to Facebook in light of serious breaches of data protection law. This was the maximum fine that could be issued under the Data Protection Act that was in place at the time of the breaches, under GDPR the fines could have been considerably higher.

Facebook have been found to have processed the personal information of users unfairly, notably allowing developers access to personal information without sufficiently clear and informed consent. Access was even granted to users information who had not downloaded the app, but were friends of users who had.

Additionally, Facebook failed to make suitable checks on the apps and developers using their system. One developer was able to harvest the personal information of up to 87 million users worldwide, without their knowledge.

After the Cambridge Analytica story broke and the breach of data protection was identified, Facebook failed to manage the breached data, waiting almost 3 years before suspending some developers access to the system.

Links

Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.

Elizabeth Denham
Information Commissioner

General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

Share
Leave a Comment

View Comments

  • The fine against Facebook was pointless, they can easily afford to pay that and continue to misuse our information however they want. They plug into all the websites you visit and make a list of everything you do on the internet and sell the information to advertisers its how they make their money and they wont stop just because the have a fine thats less money than facebook make in 1 hour.

    • It's true that Facebook (and mostly every other web service) makes money from advertising, and again most web services will build a profile of their users to better understand them. The GDPR goes some way to helping mitigate the misuse of your personal information, but ultimately it is your responsibility to manage and look after your own information. The information only gets put onto social media sites (for example) by users, they only know what information you tell them (either directly or indirectly)