The Information Commissioner’s Office (ICO) recently imposed the maximum possible financial penalty on Facebook for what has been described as ‘serious breaches of data protection law’.
The ICO found that, between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent and allowing access even if users had not downloaded the ‘app’ but were simply ‘friends’ with people who had. Further, Facebook failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. This allowed third parties to harvest at least one million UK users’ personal data without their knowledge or consent even after the breach was discovered by Facebook in 2015.
The maximum financial penalty under the Data Protection Act 1998 of £500,000 was imposed.
Information Commissioner, Elizabeth Denham, commented:
We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.
Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.
It should be noted that the maximum penalty that could now be imposed under the present Data Protection Act 2018 would be £17million or 4% of global turnover.
What steps has your business taken to ensure your ongoing GDPR compliance?