Facebook is appealing against a record fine levied by the ICO following the Cambridge Analytica data scandal.
The £500,000 fine, the maximum that could be assessed under the Data Protection Act 1998, was handed out by the Information Commissioner’s Office (ICO) on 25 October.
The ICO fined Facebook in part for allowing Dr Aleksandr Kogan to harvest the personal details of 87 million Facebook users through a personality quiz app. Crucially, only a fraction of those users had even signed up to use the quiz – the rest of the users’ data was harvested because Facebook’s policies allowed app creators to access personal info of friends of people who were using it.
Kogan was able to do this because of underlying flaws in the social media giant’s data control policies, the ICO said when it announced the fine last month. It also failed to take timely action to limit the use of the data after its misuse was discovered in December 2015, the ICO said.
Kogan shared the information he harvested with Cambridge Analytica, a political consultancy which used the data to target voters in the US and also has links to organisations which campaigned in favour of a leave vote in the 2016 EU referendum.
The ICO estimated that 1.1 million UK citizens were affected by Kogan’s data harvesting.
However, Cambridge Analytica says it only acquired records of 30 million people, and the ICO found no evidence that it included UK citizens, which forms the basis for Facebook’s appeal.
Facebook said: "The ICO’s investigation stemmed from concerns that UK citizens’ data may have been impacted by Cambridge Analytica, yet they now have confirmed that they have found no evidence to suggest that information of Facebook users in the UK was ever shared by Dr Kogan with Cambridge Analytica, or used by its affiliates in the Brexit referendum. Therefore, the core of the ICO’s argument no longer relates to the events involving Cambridge Analytica."
The appeal will be heard by the First-Tier Tribunal.
Oz Alashe MBE, CEO of the cyber security training platform CybSafe, said that a successful appeal could set a dangerous precedent. "If Facebook does succeed with this appeal, it sets a worrying precedent for the future," he said.
"If companies don’t keep their customer’s personal data secure, then in today’s climate, they should expect to be fined if they get caught. The point is not whether there’s been a data leak; the point is that, according to the ICO investigation, Facebook had poor cyber-security practices which defied UK data protection laws.
"Businesses shouldn’t store data insecurely, and only face consequences if they suffer a data breach. Businesses should be storing data securely in the first place. The fine is there to encourage businesses to take the correct preemptive steps – not merely as a reactive punishment."
Joseph Carson, chief security scientist at Thycotic, told SC Media UK: "Facebook are walking a very fine line here and should be cautious in trying to avoid paying a small fine for their lack of responsibility and accountability for the abuse of personal information by Cambridge Analytica.
"The technicality that Facebook are using to avoid the fine, that no evidence of UK citizens data being abused, is highly likely to fail as it is known that UK citizens did in fact take the survey in question. So this would likely only delay such fines or see Facebook avoid this fine only to be challenged under EU GDPR for the large data breach in September 2018 that would result in a much more serious financial fine for failure to protect sensitive personal information."
Mayur Upadhyaya, managing director for EMEA at Janrain, said, "When the penalty notice was issued under the Data Protection Act, it stated that UK Facebook users had been impacted by the ‘thisisyourdigitallife’ application, and its exploits of the V1 Facebook Graph that allowed the harvesting of data of users and their friends.
"Since then, Facebook has claimed that no UK citizen data had been exposed as part of this penalty, and as such, was not in breach of the first principle of the data protection act (fairly and lawfully processed). However, due to the seventh principle (secure), the ICO claims a breach because Facebook did not take appropriate steps – here the grace period offered to the ‘thisisyourdigitallife’ application to continue to exploit V1 Graph, even though denied on V2, does place them on shaky ground."
Rachel Aldighieri, managing director of the DMA, said, "It is important for both businesses and consumers to have clarity, transparency and consistency in regulators’ investigative processes. This will ensure businesses are clear about what is expected of them and create a consistent standard for responsible marketing that consumers can trust."