Facebook receives $664,000 UK privacy fine, which could have been $1.9B under GDPR

Facebook has received a £500,000 fine ($664,000) in the UK resulting from the Cambridge Analytica data-harvesting scandal. The fine was imposed, according to the Information Commissioner’s Office (ICO), because Facebook failed to properly safeguard user information from third-party exploitation or be transparent about how personal data was potentially being used.

The revelations surrounding Cambridge Analytica and its mining of Facebook data in support of Brexit and the Trump election campaign came in March of this year. The fallout continues in Europe and the US.

Authorized under UK data protection law, the £500,000 fine was the maximum allowed given the timeline of events (2015-2016). However, had the events in question occurred after May 25 of this year, when Europe’s General Data Protection Regulation (GDPR) went into effect, the penalty could have been much more severe: up to almost $2 billion (4 percent of Facebook’s annual revenues).

The ICO fine comes in the midst of a broader investigation of data harvesting and usage by a wide range of organizations in the UK. Facebook itself continues to face various European investigations and lawsuits over privacy and data practices and could potentially see more financial penalties.

In the US, Facebook is the subject of a Federal Trade Commission (FTC) investigation that unauthorized Cambridge Analytica data mining violated Facebook’s 2011 consent decree with the agency:

Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.

If imposed, potential FTC penalties could be many billions of dollars, depending on how violations are calculated. The consent decree brings with it a potential fine of $40,000 per violation. Each individual instance of data harvesting without consent might qualify as a violation. Because there were many millions of accounts involved, there would be millions of potential violations, and the numbers could get very large quickly.

It’s unlikely, however, that the FTC will impose a trillion-dollar fine on the company. But there is some potentially serious exposure. Arguably, the bigger issue for the company is its reputation and user trust, which has suffered in the wake of Cambridge Analytica — though usage hasn’t taken an obvious hit.

In April, Facebook launched a multichannel ad campaign called “Here Together,” acknowledging mistakes and seeking to restore public trust.