Facebook is looking at a $664,000 fine after U.K. regulators found the company broke data protection laws in its dealings with Cambridge Analytica, but the social network likely avoided a much worse fine that would have been possible under Europe's new stricter privacy laws.
The U.K. Information Commissioner's Office is threatening the company with the maximum penalty allowed under the old data laws that applied at the time of the alleged wrongdoing. The tech giant is accused of not properly protecting user data and not disclosing properly how people's data was harvested by others.
"Facebook has failed to provide the kinds of protections they're required to do under data protection laws," Information Commissioner Elizabeth Denham said on a call with reporters. The fine "sends a clear signal that I consider this a significant issue, especially when you look at the scale and the impact of this kind of data breach."
The revelations that data belonging to as many as 87 million Facebook users and their friends may have been misused is a "game changer" in the world of data protection, Denham said. Her office is leading the European investigations into how such an amount of data—most belonging to U.S. and U.K. residents, she says—could have ended up in the hands of Cambridge Analytica, a consulting firm that worked on Donald Trump's presidential campaign.
Facebook will get a chance to respond to the proposed penalties before the ICO releases a final decision.
"As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015," said Erin Egan, Facebook's chief privacy officer. "We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the U.S. and other countries. We're reviewing the report and will respond to the ICO soon."
The ICO could have levied a much higher and potentially more painful penalty under new European Union rules in place since May 25, where violations could lead to fines of as much as 4 percent of a company's global annual sales. In 2017, Facebook generated $40 billion in ad sales. But the law only applies to violations committed on or as of that date and not retro-actively. That's why the ICO's intended fine is capped at the maximum of 500,000 pounds, or $664,000, that it could levy under previous privacy rules.
While Facebook earlier said the data of as many as 2.7 million Europeans might have been shared with Cambridge Analytica, the company last month told EU lawmakers that private data about its European users may not have fallen into the hands of the U.K.-based data-crunching venture after all. Facebook said it wouldn't be able to make any firm conclusions on the matter until it conducts its own audit.
In April, Mark Zuckerberg testified before Congress where he faced questions about the social network's data and privacy policies. U.S. regulators are still investigating Facebook's handling of consumer data and how it has worked with third-parties like Cambridge Analytica.
-- Bloomberg News