The ICO had issued a Notice of Intent to Fine to Facebook in July following an investigation into the company’s data sharing policies that exploited the data of 87 million users. “The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had,” the ICO said confirming the fine. “Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organizations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US. “Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.” During its investigation, ICO found that personal information of at least one million UK users was among the harvested data that was subsequently put at risk of further misuse. The information was used to help Donald Trump during his 2016 presidential election campaign. “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data,” ICO said. “A company of its size and expertise should have known better and it should have done better.” The penalty of £500,000 is the maximum allowed under the Data Protection Act 1998 at the time of the breach. This fine represents 0.00001 percent of Facebook’s CEO Mark Zuckerberg’s £43 billion ($61.5 billion) fortune. However, it could have been a lot worse had the data breach taken place under the General Data Protection Regulation (GDPR) law passed in May. Under the EU’s new data protection laws, Facebook could have faced a maximum fine of £17m or 4% of global turnover – whichever is higher. “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people’s personal data,” ICO said. “Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.” In response to the ICO announcement, Facebook commented that it is “reviewing” the decision. “While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015,” a Facebook spokesperson said in a statement. “We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”