The UK data protection authority — the Information Commissioner’s Office (ICO) — has announced that it will fine Facebook £500,000 for its involvement in the Cambridge Analytica scandal. The Information Commissioner, Elizabeth Denham, has defined this investigation as the most important in the history of the ICO. While many might be disappointed at such a small fine — and rightly so — this investigation tells much about how privacy rules will be enforced moving forward. In particular:
- The fine is small but still the highest possible. The ICO assessed the case under the UK’s Data Protection Act 1998, not the GDPR, as the wrongdoing happened before May 25th, when the authority started enforcing the new regulation. Still, the amount charged to Facebook is the highest possible, and the Information Commissioner herself declared that the infringement was extremely serious and able to trigger the highest fine under GDPR, which would be 4% of Facebook’s global revenue (approximately $1.9 billion or £1.4 billion).
- Third-party risk management sits at the core of a firm’s ability to comply. The ICO has determined that Facebook failed to safeguard its users’ information and that it failed to be transparent about how that data was harvested by others. Put simply, Facebook did nothing to inform its users that it shared their data widely with Cambridge Analytica. And it did nothing again to ascertain that Cambridge Analytica deleted the data when asked to do so. In fact, in 2015, Facebook asked Cambridge Analytica to delete users’ data, and the UK-based company provided a deletion certificate to Facebook. The investigation demonstrates that this is simply not enough. It doesn’t matter if third parties supply you with data, technology, or services: If they touch your customers’ or employees’ personal data, their security and privacy postures directly affect your business, your security posture, and the ability to comply with regulations and customer expectations. This calls for a big change in the way companies perform due diligence on their third parties. Certifications, standards, and contracts are only one part of what’s needed. With GDPR, every company must restructure their third-party risk management operations to fit the requirements of the regulation.
- Failure to comply with a data subject request triggers potential fines. As part of this investigation, SCL Elections, Cambridge Analytica’s parent company, is also facing a criminal prosecution for failing to properly deal with the ICO’s enforcement notice and has received an enforcement notice for not replying to a subject access request from a user. Most firms still doubt that a regulator would investigate companies over their inability to deal with, for example, a “right to be forgotten” request or a data access rights request, but this will happen much more often than we think. And when the new California Consumer Privacy Act of 2018 comes into force, we will see a further increment of users’ requests and regulatory investigations and fines.
- Misuse of personal information has heavy political, economic, and social consequences. Facebook, Cambridge Analytica, and SCL Elections, as well as other companies such as Emma’s Diary and AggregateIQ, fell under the lenses of the regulators. These companies all acted as data and/or analytics providers for UK parties. In fact, the ICO issued warning letters to 11 political parties and notices compelling them to agree to data protection audit. If identity fraud, discrimination, financial loss, and distress were not bad enough as a result of data breaches, this case shows that misuse of personal data has severe consequences also for democratic systems and their governments. Data protection investigations will become increasingly more complex and include the assessment of the impact of data protection rules’ infringement on a broad spectrum of policy and regulatory issues, such as competition law and welfare policies. If anything, fines and associated costs can only grow higher.
This investigation describes in some detail not only how Facebook failed to respect and protect their users’ personal data, it also demonstrates its inability to manage third parties and the lack of direction of the company. More importantly, it tells how Facebook hugely undermined the trust of its users. While this investigation is about one company, every business that collects and/or processes personal data must make no mistake: First and foremost, this is about customers’ trust and business reputation. Under GDPR, regulators will impose large fines and severe regulatory actions, no doubt. But more than regulators, firms must be scared about their customers leaving them when they breach their data and their trust.