Back in 2018, one of the biggest data protection scandals in recent history broke in response to the discovery that millions of people around the world had their data harvested by research firm Cambridge Analytica, through Facebook, which was used for various political purposes without the consent of the individuals in question. A failure in Facebook’s data protection standards allowed Cambridge Analytica to build an alarmingly detailed profile about the individuals in question.
As a result of this, the Information Commissioner’s Office (ICO) in the UK announced that they intended to fine Facebook £500,000 as a punishment for its lax approach to data security and the privacy of its users. Facebook of course did not agree that this fine was fair and chose to register an appeal.
This debate raged on for several months, but it has taken an interesting turn after Facebook chief Mark Zuckerberg published an editorial piece in March, in which he called on more to be done by governments and regulators to protect data in the face of global tech giants such as Facebook.
"Lawmakers often tell me we have too much power over speech, and frankly I agree," Zuckerberg wrote.
Cynics will certainly suggest that rather than a genuine appeal for better standards, Zuckerberg is choosing to place more responsibility for data protection onto authorities rather than deal with the issue at his own company. This is something that Facebook has come under serious fire for in the past. Either way, it has struck many people as somewhat hypocritical that Zuckerberg is encouraging governments to keep social media companies on the straight and narrow whilst simultaneously appealing against one doing just that.
This was of course picked up on by the ICO.
"In light of Mark Zuckerberg's statements… about the need for increased regulation across four areas, including privacy, I expect Facebook to review their current appeal against the ICO's £500,000 fine — the maximum available under the old rules — for contravening UK privacy laws," Information Commissioner Elizabeth Denham said.
It’s worth noting that Denham highlighted the £500,000 fine would come under the rules in force when the offence was committed (the Data Protection Act 1998). However, since the General Data Protection Regulations (GDPR) came into force in May 2018, the offence would now carry a much more severe punishment, with a theoretical fine of up to 4% of annual turnover, which in Facebook’s case could have been in excess of $2billion.
It is still unclear as to whether Facebook will drop the appeal. Their reasoning for the appeal is that there is no proof that the Cambridge Analytica scandal involved UK citizens and that the fine is therefore unfair. The ICO’s response however is that the lax data security standards warrant a fine on their own, regardless of whether or not there’s any proof that data about UK citizens was unlawfully gathered.
If you’d like to gain more information about data protection law in the UK, and the responsibilities that businesses have in respect to GDPR, then consider taking our GDPR training course, which covers everything that you or your employees might need to know. Click here to find out more.