Below Gareth Oldale, Partner at Sharpe Pritchard, comments on the news that the ICO intends to issue a fine of £500,000 to Facebook following its investigation of Cambridge Analytica and the related misuse of personal data during political campaigns.
This is significant for a number of reasons. Firstly, this would be the highest fine that the ICO has ever issued, eclipsing the previous record of £400,000. It also represents the highest fine permissible under UK law for breaches arising prior to the introduction of the GDPR on 25 May. Overall, it indicates how grave the breaches of the Data Protection Act by Facebook were; the ICO has brought the full might of its legislative powers to bear against the company.
Privacy activists and victims of the data breach may be disappointed that the level of the fine is not higher. Were the breach to have happened after 25 May 2018, the ICO would have had the ability to issue a fine of up to 4% of Facebook’s annual worldwide turnover (reportedly meaning a maximum fine of £479million).
However, it does not follow that simply because the ICO issued the maximum fine available under the old regime, that it would have done the same under the new regime. When determining the level of fines, the ICO must take into account various factors, including the nature, gravity and duration of the breach, steps taken by the organisation to mitigate the damage, the degree of co-operation with the ICO’s investigation and how the breach came to be known to the ICO. Any fine it issues must be “effective, proportionate and dissuasive”. Whilst Facebook is undoubtedly vast in scale, the ICO may have determined that a fine of 4% of its annual worldwide turnover was not proportionate to the breach.
Facebook too might also have engaged differently, or been more pro-active in its response, had it known that it was facing a fine of £hundreds of millions, as opposed to £500,000. So whilst it is probable that, had the investigation been conducted under the GDPR regime, the level of the fine would have been higher than £500,000, in my view it is unlikely that it would have been as high as the full 4% of turnover.
The ICO has for a long time been keen to stress that the implementation of the GDPR will not lead to a succession of “mega fines” and that it will continue to apply fines proportionately, using them as a last resort where other enforcement action has been unsuccessful or where the breach is so severe as to merit an immediate financial penalty. Issuing a fine so soon after the implementation of the GDPR at the extreme maximum possible would be a supersonic leap that would be sure to raise eyebrows as well as a challenge from the recipient of the fine.
The recent news is also interesting because this is not the end of the ICO’s investigation, merely an interim step in the process. The fine has not actually been issued as yet, and Facebook has been invited to respond to the ICO’s Notice of Intent. Whether Facebook will seek to argue for a lower fine remains to be seen. On the one hand, it may feel a sense of relief at only picking up a £500,000 fine when in a post-GDPR world the fine would likely have been much higher. On the other hand, however, Facebook may feel compelled to test the fact that the fine is the maximum available to the ICO – i.e. that the breach could not, in that sense, have been worse.
Facebook and other multi-national tech companies will be eager to understand whether the Facebook breach sets a new bar against which future breaches will be measured, and Facebook may wish to rebut insinuations that the breach is the worst that the ICO has ever investigated (or at least has led to the most severe penalty), or that in future the benchmark will not be £500,000 for fines of this nature, but the maximum allowed under applicable law.
The ICO’s enforcement action also continues against other parties involved in the breach. Most notably, the ICO has issued a criminal prosecution for SCL Elections Ltd (the parent company of Cambridge Analytica) for failing to properly deal with the ICO’s earlier Enforcement Notice. At a time when ICO resources are stretched very thinly, it is reassuring to see that this investigation appears to be leaving no stone unturned. The ICO’s reputation is, I think, being enhanced by the robust and comprehensive approach it is taking to this matter.