Facebook came under fire earlier this year when it was revealed that the private data of roughly 87 million people around the world had been harvested by Cambridge Analytica.
The firm’s CEO boasted in undercover footage that the Facebook data harvested had helped get President Donald Trump elected.
The UK’s information commissioner imposed the fine for “serious breaches of data protection law”.
The Information Commissioner’s Office (ICO) had alerted Facebook to the penalty in June under a so-called ‘Notice of Intent” and the fine was made public in July.
The ICO said data belonging to 87 million users was improperly accessed by Cambridge Analytica – which has since been shut down.
Facebook broke the law by failing to safeguard people’s data and not being transparent about how that data could be harvested, the investigation found.
The penalty is the maximum allowed under the Data Protection Act 1998 but is pocket change for a company valued last year at around $590bn (£445bn).
The scandal took place before new EU data protection laws that allow much larger fines came into force.
In a statement, Facebook said it is “reviewing” the decision.
It said: “While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation.”
Maximum penalty
Elizabeth Denham, the information commissioner, said: “A company of its size and expertise should have known better and it should have done better. This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation (GDPR).
“These provide a range of new enforcement tools for the ICO, including maximum fines of £17m or 4% of global turnover. We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR.
“One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
One million affected in UK
It believed around one million people were affected in the UK. Earlier this year it was revealed that Canadian firm, Aggregate IQ, spent $2m on pro-Leave Facebook adverts ahead of the Brexit vote. However, Facebook said that there are no records of Cambridge Analytica having done the same.
Cambridge Analytica has repeatedly denied working on the EU referendum on behalf of campaign group Leave.EU, but emails provided to the committee by a former CA employee allegedly detail numerous meetings between the two organisations and an unpaid invoice for more than £40,000.
In May this year Cambridge Analytica filed for bankruptcy.